PAC is built with privacy-first and security-by-design principles:
-
No Location Database
- β PAC does NOT store any addresses or locations
- β All encoding/decoding happens algorithmically
- β No persistent storage of geographic data
-
No User Registration
- β No user accounts required
- β No personal information collected
- β No tracking or profiling
-
No Logging of Sensitive Data
- β PAC codes are NOT logged
- β Coordinates are NOT logged
- β Request payloads are NOT logged
β οΈ Only metadata is logged (timestamps, IPs for rate limiting, endpoints)
-
Client-Side First
- β SDK works 100% offline
- β No server required for basic operations
- β API is optional (for convenience only)
All API endpoints (except health checks) require authentication:
X-API-Key: {payload}.{signature}
API keys are HMAC-based tokens that:
- Do NOT contain sensitive data
- Can be revoked instantly
- Are rate-limited per key
- Have configurable scopes/permissions
| Tier | Limit | Window |
|---|---|---|
| Authenticated | 100 requests | 1 minute |
| Unauthenticated | 10 requests | 1 minute |
Rate limiting prevents:
- Denial of Service (DoS) attacks
- Brute force attacks
- Resource exhaustion
- Abuse
The API implements adaptive anti-bot challenges:
- Triggered when suspicious patterns detected
- CAPTCHA/Turnstile integration
- IP reputation checking
- Request pattern analysis
Note: Anti-bot is best deployed at Edge/WAF layer (Cloudflare, AWS WAF, etc.)
CORS is configured with a whitelist of allowed origins:
{
"AllowedOrigins": [
"https://yourdomain.com",
"https://app.yourdomain.com"
]
}Development: localhost origins are allowed in development mode only.
In production:
- β All connections MUST use HTTPS
- β HTTP requests are rejected
- β HSTS headers are set
- β TLS 1.2+ required
API Keys Table (minimal):
CREATE TABLE ApiKeys (
Id UUID PRIMARY KEY,
KeyHash VARCHAR(64) NOT NULL, -- SHA-256 hash
CreatedAt TIMESTAMP NOT NULL,
ExpiresAt TIMESTAMP,
IsRevoked BOOLEAN DEFAULT FALSE,
Scopes JSONB -- Optional permissions
);Nothing Else: No addresses, no locations, no coordinates, no PAC codes.
Allowed Logs:
{
"timestamp": "2026-01-21T12:00:00Z",
"ip": "192.168.1.1",
"endpoint": "/v1/pac/encode",
"statusCode": 200,
"duration": 15,
"apiKeyId": "uuid"
}Forbidden Logs:
{
"pacCode": "NEVER LOGGED",
"latitude": "NEVER LOGGED",
"longitude": "NEVER LOGGED",
"payload": "NEVER LOGGED"
}- Access Logs: 7 days (for debugging)
- Error Logs: 30 days (for monitoring)
- Audit Logs: 90 days (for security)
- API Key Logs: Indefinite (for billing/compliance)
-
Location Tracking
- β No database = no tracking possible
- β No logs = no history reconstruction
-
Data Breaches
- β No sensitive data to breach
- β API keys can be revoked instantly
-
Man-in-the-Middle (MITM)
- β HTTPS enforced
- β Certificate pinning recommended for mobile apps
-
Denial of Service (DoS)
- β Rate limiting per IP
- β Rate limiting per API key
- β Adaptive anti-bot
-
Brute Force
- β Rate limiting prevents enumeration
- β No user accounts to brute force
-
Client-Side Attacks
β οΈ XSS/CSRF protection is app developer's responsibilityβ οΈ Secure storage of API keys is app developer's responsibility
-
Network-Level Attacks
β οΈ DDoS mitigation should be handled by CDN/WAFβ οΈ BGP hijacking is outside our control
-
Physical Security
β οΈ Device theft/loss is user's responsibilityβ οΈ Shoulder surfing is user's responsibility
If you discover a security vulnerability, please:
-
DO NOT open a public GitHub issue
-
Email: [Email]moahmedyousif28@gmail.com) β’ π¦ Follow on LinkedIn
-
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- 24 hours: Initial acknowledgment
- 7 days: Assessment and triage
- 30 days: Fix and disclosure (coordinated)
We currently do NOT have a bug bounty program, but we:
- Acknowledge security researchers in our SECURITY.md
- Provide swag/merchandise for valid reports
- May offer monetary rewards for critical vulnerabilities
// β
Good: Client-side SDK (no network, no logs)
import { encode } from '@pac/core';
const pac = encode({ latitude, longitude });
// β Avoid: API call (network, logs, rate limits)
const response = await fetch('/v1/pac/encode', { ... });// β
Good
logger.LogInformation("PAC encoded successfully");
// β BAD
logger.LogInformation($"PAC code: {pacCode}");// β
Good: Environment variable
const apiKey = process.env.PAC_API_KEY;
// β BAD: Hardcoded
const apiKey = "abc123.def456";// β
Good
if (latitude < -90 || latitude > 90)
throw new ArgumentOutOfRangeException();
// β BAD: No validation
var pac = PACCore.Encode(latitude, longitude);// β
Good
try {
const result = decode(pacCode);
if (!result.isValid) {
console.error("Invalid PAC code");
return;
}
} catch (error) {
console.error("Decode failed:", error.message);
}
// β BAD: Expose internals
catch (error) {
alert(error.stack); // Leaks implementation details
}PAC is GDPR-friendly because:
- β No personal data collected
- β No user profiling
- β No cross-site tracking
- β No data retention (except API keys)
PAC is CCPA-friendly because:
- β No sale of personal information
- β No sharing with third parties
- β No targeted advertising
PAC does NOT handle:
- β Health information (HIPAA)
- β Payment information (PCI-DSS)
Therefore, these regulations do not apply.
- Frequency: Quarterly
- Scope: Code review, dependency scan, penetration testing
- Tools: SonarQube, OWASP ZAP, Snyk
- Frequency: Annually (or before major releases)
- Scope: Full security assessment
- Auditor: Independent third-party
- Automated: Dependabot/Renovate for dependency updates
- Review: All security updates reviewed within 24 hours
- Deployment: Critical patches deployed within 48 hours
We monitor:
- .NET CVEs
- Node.js/npm CVEs
- Docker base image CVEs
- Third-party library CVEs
Subscribe to security advisories:
- GitHub Security Advisories
- Email: moahmedyousif28@gmail.com
[Email]moahmedyousif28@gmail.com) β’ π¦ Follow on LinkedIn
Last Updated: 2026-01-21
Version: 1.0