| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability, please report it privately:
- GitHub Security Advisories — use the "Report a vulnerability" button on the repository's Security tab (preferred)
- Email — contact the maintainers directly (see repository profile for contact details)
- Do NOT open a public GitHub issue for security vulnerabilities
Please include in your report:
- A clear description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if you have one)
We aim to acknowledge all reports within 48 hours and will work with you on a coordinated disclosure timeline.
-
Strong credentials
- Use at least 16 characters for
ADMIN_PASSWORD - Generate with:
openssl rand -base64 24 - Regenerate
AUTH_SECRETfor every new instance - Generate with:
openssl rand -base64 32
- Use at least 16 characters for
-
Protect your secrets file
chmod 600 .env.local
Never commit
.env.localto version control. -
Use HTTPS in production
- Put the app behind a reverse proxy (Caddy, nginx) that handles TLS
- The auth cookie automatically sets
secure: truewhen the app detects HTTPS
-
Restrict network access
- Bind the Node.js process to
127.0.0.1, not0.0.0.0 - Expose only via the reverse proxy
- Configure a firewall (UFW, iptables) to block direct access to the app port
- Bind the Node.js process to
-
Keep dependencies up to date
npm audit npm audit fix
-
Never commit:
.env.local(passwords, secrets)data/*.json(operational runtime data)data/*.db(usage metrics databases)- Real usernames, emails, API keys, or tokens in source code
-
Use branding config:
- All personal identifiers must come from environment variables via
src/config/branding.ts - Never hardcode names, handles, or contact details in source files
- All personal identifiers must come from environment variables via
-
Input handling:
- Never use
eval()orFunction()with user-supplied input - Validate and sanitize all API inputs
- Use parameterized queries for all SQLite operations
- Escape user-generated content rendered in the UI
- Never use
| Control | Implementation |
|---|---|
| Authentication | Password + signed HTTP-only cookie |
| Rate limiting | 5 failed logins → 15-minute lockout per IP |
| Route protection | src/middleware.ts guards all routes |
| Public endpoints | Only /api/auth/login and /api/health |
| Terminal API | Strict allowlist; dangerous commands blocked |
| Cookie flags | httpOnly, sameSite: lax, secure in production |
Before going live:
-
ADMIN_PASSWORDset to a strong, unique value -
AUTH_SECRETfreshly generated (openssl rand -base64 32) -
.env.localpermissions set to600 - HTTPS configured via reverse proxy
- Node process bound to loopback (
127.0.0.1) - Firewall configured to block direct access to app port
-
npm auditrun — no critical/high vulnerabilities unaddressed -
data/directory included in backup routine
We follow coordinated vulnerability disclosure:
- Researcher notifies us privately with full details
- We confirm receipt, triage the report, and begin working on a fix
- We release a patched version
- Public disclosure happens only after the patch is available and deployed
We credit researchers who follow this process in the release notes (unless they prefer to remain anonymous).
Thank you for helping keep FeiControl secure. 🔒