We release patches for security vulnerabilities in the following versions:

We take security seriously. If you discover a security vulnerability, please follow these steps:

Security vulnerabilities should be reported privately to protect users.

Send an email to [email protected] with the subject line:

[SECURITY] WA API Message Node.JS - Vulnerability Report

• Description: Clear description of the vulnerability
• Steps to reproduce: Detailed steps to reproduce the issue
• Impact: Potential impact of the vulnerability
• Environment: Node.js version, OS, SDK version
• Proof of concept: Code examples or screenshots (if applicable)

• Acknowledgment: We'll acknowledge receipt within 48 hours
• Assessment: We'll assess the vulnerability within 7 days
• Fix: We'll work on a fix and keep you updated
• Disclosure: We'll coordinate disclosure with you

1. Keep dependencies updated

   npm audit
   npm update

2. Use environment variables for sensitive data

   const waApi = new WaMessageApi({
     apiKey: process.env.SENDZEN_API_KEY, // Never hardcode API keys
     from: process.env.WHATSAPP_FROM_NUMBER
   });

3. Validate input data

   // Always validate phone numbers and message content
   if (!validatePhoneNumber(phoneNumber)) {
     throw new Error('Invalid phone number');
   }

4. Use HTTPS in production

   • The SDK uses HTTPS by default
   • Never use HTTP for API calls in production

1. Never commit sensitive information

   • API keys, passwords, tokens
   • Personal information
   • Internal URLs or endpoints

2. Use security-focused coding practices

   • Validate all inputs
   • Sanitize user data
   • Use parameterized queries
   • Implement proper error handling

3. Review dependencies regularly

   npm audit
   npm audit fix

We regularly audit our dependencies and code:

• Dependencies: Monthly security audits
• Code reviews: All PRs require security review
• Automated scanning: GitHub Security Advisories
• Penetration testing: Annual third-party testing

Before submitting code:

• No hardcoded secrets or credentials
• Input validation implemented
• Error handling doesn't leak sensitive information
• Dependencies are up to date
• No security vulnerabilities in dependencies
• Code follows security best practices

• API keys are sent in HTTP headers
• Never log or expose API keys
• Rotate keys regularly
• Use environment variables

• The SDK validates phone numbers using libphonenumber-js
• Invalid numbers are rejected to prevent abuse
• International format is enforced

• Content is sent to third-party services (SendZen API)
• Avoid sending sensitive information in messages
• Consider encryption for sensitive data

For security-related questions or concerns:

• Email: [email protected]
• Response time: Within 48 hours
• Encryption: PGP key available upon request

We appreciate security researchers who help us improve the security of our SDK. Contributors will be acknowledged in our security advisories (unless they prefer to remain anonymous).

• OWASP Top 10
• Node.js Security Best Practices
• npm Security
• GitHub Security Advisories

Last updated: January 2025 Next review: July 2025