| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability, please report it responsibly:
- Do NOT create a public GitHub issue
- Email the maintainers directly
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and work with you to understand and resolve the issue.
This project ships with default development credentials that MUST be changed for production:
POSTGRES_PASSWORD=memory- Change to a strong passwordMINIO_ACCESS_KEY=minioadmin/MINIO_SECRET_KEY=minioadmin- Change bothDEFAULT_API_KEY=dev-api-key-12345- Generate secure API keys
- Change all default passwords and secrets
- Set
DEBUG=false - Configure CORS origins properly (not
["*"]) - Use HTTPS for all services
- Enable rate limiting
- Implement proper authentication (replace dummy auth)
- Set up database backups
- Configure firewall rules
- Use secrets management (e.g., HashiCorp Vault, AWS Secrets Manager)
- Enable audit logging
- Regular security updates
- API keys are stored as SHA-256 hashes - consider using more secure key derivation for production
- File uploads are not scanned for malware - implement scanning for production use