- Security updates are typically released as a patch for the latest supported version.
- We will aim to release updates as quickly as possible after a security issue has been identified and fixed.
- You can monitor the project’s releases and changelog to stay up to date with the latest security patches.
We follow these practices to ensure the project remains secure:
- Code Reviews: All pull requests are subject to code reviews. Security concerns should be flagged during reviews.
- Static Analysis: We use static analysis tools to identify potential security flaws in the codebase.
- Dependency Audits: Regular audits of third-party dependencies are performed to ensure there are no known vulnerabilities.
If you're contributing to the project, please follow these guidelines to help maintain the security of the codebase:
-
Do not hard-code sensitive information.
Never hard-code credentials, API keys, or other sensitive information in your code. Use environment variables or secure vaults to manage secrets. -
Input Validation:
Always validate user inputs to protect against common vulnerabilities such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). -
Use Secure Dependencies:
Ensure that all third-party libraries and dependencies used in the project are well-maintained and do not have known vulnerabilities. Regularly update dependencies to their latest stable versions. -
Avoid Security Misconfigurations:
Be mindful of misconfigurations in your development, staging, or production environments. Ensure that sensitive data is not exposed and that the environment is securely configured. -
Security Headers:
If you're working on the web-facing portion of the project, make sure to configure security headers like Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), etc.
- OWASP Top Ten – A great resource to familiarize yourself with common security risks.
- CVE Details – A database of known security vulnerabilities.
Thank you for helping us keep this project secure!