SECURITY AUDIT REPORT

The original "Anyone can submit feedback" policy used WITH CHECK (true), allowing any caller to insert rows with any user_id — including impersonating another user's UUID.

Replaced with two scoped policies: anon users may only insert with user_id IS NULL; authenticated users may only claim their own auth.uid() or NULL.

All numeric and text columns relied solely on browser-side HTML attributes (min/max/maxLength), which can be bypassed by direct Supabase API calls or DevTools manipulation.

Added database-level CHECK constraints: weight 50–1500 lbs, duration 0–1440 min, calories 0–10,000, protein 0–1,000 g, text columns capped at 200–5,000 chars, enum columns restricted to known valid values.

The photo_url column accepted any text value. A direct API call could store a javascript: URI that executes when the URL is used in an <img> src or rendered as a link.

Added CHECK constraint: photo_url LIKE 'https://%'. Only HTTPS URLs are accepted at the database layer.

The print function built an HTML string using template literals and wrote it to a new window via document.write(). If meal data ever contained <script> tags or HTML entities, they would execute in the print context.

Added an esc() helper that escapes &, <, >, ", and ' before every value is interpolated into the HTML string.

No CSP was set, meaning any injected inline script or unexpected external resource could execute without restriction.

Added a strict CSP meta tag allowing scripts only from self + Google Tag Manager, styles from self + Google Fonts, images from self + Supabase Storage + Pexels, and connections only to self + Supabase. Added X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy.

The original service worker cached any response where res.ok was true, including cross-origin requests and responses with Cache-Control: no-store. A poisoned or redirected response could be served indefinitely to offline users.

Added isCacheable() guard: only 200 OK same-origin basic responses without no-store are stored. Cross-origin requests (fonts, analytics) are explicitly excluded. Failed navigations fall back to cached / before returning a 503.

The message textarea and name input had no maxLength attribute, allowing arbitrarily large payloads to be submitted from the browser.

Added maxLength={5000} on message and maxLength={200} on name. Submit handler also slices and validates before insertion. Character counter turns red near the limit.

The location field accepted any string. A direct API call could store arbitrary text outside the five valid options shown in the UI.

Added CHECK constraint restricting location to: in-cab, parking-lot, planet-fitness, truck-stop, other.

Both columns accepted any string value at the database layer despite the UI restricting options via <select>.

Added CHECK constraints: meal_time IN (breakfast, lunch, dinner, snack) and category IN (general, workout, meal, glp1, gym-finder).

The VITE_SUPABASE_ANON_KEY is a public-facing key by design — it is safe to embed in client-side code. Its permissions are entirely governed by RLS policies. The key is not a secret; it identifies the project, not an admin user.

No code change required. Ensure the service role key is never exposed. All sensitive access is blocked by RLS. Rotate the anon key via the Supabase dashboard if the project is public in version control.