We take security seriously and aim to keep the FAForever Patchnotes site secure for all users.
| Version | Supported |
|---|---|
| 2.2.x | ✅ |
| 2.1.x | ✅ |
| < 2.0 | ❌ |
✅ Content Security Policy Ready
- Prepared for CSP implementation
- External resources from trusted CDNs only
✅ Subresource Integrity (SRI)
- Font Awesome uses SRI hashes
- Prevents tampering with external resources
✅ HTTPS Only
- All external resources loaded via HTTPS
- PWA requires HTTPS in production
✅ Input Sanitization
- Search queries are properly escaped
- No eval() or innerHTML with user input
✅ Service Worker Security
- Scoped to origin
- Cache validation
- Secure update mechanism
- No third-party tracking scripts
- Local analytics only (privacy-friendly)
- No personal data collection
- No cookies required
- Offline-first PWA architecture
If you discover a security vulnerability, please report it responsibly:
- Email: security@faforever.com (preferred)
- Discord: Direct message to a moderator on FAForever Discord
- GitHub: Open a security advisory (not a public issue)
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Your contact information
- Initial Response: Within 48 hours
- Assessment: Within 1 week
- Fix Timeline: Based on severity
- Critical: 24-48 hours
- High: 1 week
- Medium: 2-4 weeks
- Low: Next scheduled release
- Acknowledgment: We'll confirm receipt of your report
- Assessment: We'll assess the severity and impact
- Fix Development: We'll work on a patch
- Disclosure: Coordinated disclosure after fix is deployed
- Credit: We'll credit you in the release notes (unless you prefer to remain anonymous)
- No use of
eval()orFunction()constructor - No
innerHTMLwith user-provided content - Sanitize all user inputs
- Use HTTPS for all external resources
- Add SRI hashes for CDN resources
- Validate data from patches.json
- No sensitive data in client-side code
- Proper error handling (no stack traces to users)
When adding dependencies:
- Use specific versions (no
latestor*) - Check for known vulnerabilities
- Use SRI hashes for CDN resources
- Document why the dependency is needed
- Service worker scope is limited to origin
- Cache only trusted resources
- Validate cached data before use
- Update service worker regularly
Consideration: Cached content could become stale
Mitigation:
- Cache versioning (increment on updates)
- Background sync for updates
- Manual cache clear option
Consideration: CDN could be compromised
Mitigation:
- SRI hashes verify integrity
- Fallback mechanisms for critical resources
- Regular security reviews
Consideration: patches.json could be tampered with
Mitigation:
- Validation script checks data structure
- No executable code in JSON
- Display-only data (no security decisions based on it)
- Implement Content Security Policy headers
- Add comprehensive input validation library
- Automated dependency vulnerability scanning
- Security headers (X-Frame-Options, X-Content-Type-Options)
- Automated security testing in CI/CD
- Regular third-party security audits
- Report-URI for CSP violations
- Security.txt file
- Bug bounty program (if resources allow)
We believe in responsible disclosure. Please:
- Give us reasonable time to fix issues before public disclosure
- Do not exploit vulnerabilities for malicious purposes
- Do not access or modify data that doesn't belong to you
- Work with us to understand and mitigate the issue
For security-related questions or concerns:
- Security Email: security@faforever.com
- General Issues: GitHub Issues (for non-sensitive topics)
- Discord: FAForever Community
Thank you for helping keep FAForever Patchnotes secure!
Last Updated: February 5, 2026