docs: add SECURITY.md
This commit is contained in:
67
SECURITY.md
Normal file
67
SECURITY.md
Normal file
@@ -0,0 +1,67 @@
|
|||||||
|
# Security Policy
|
||||||
|
|
||||||
|
## Supported Versions
|
||||||
|
|
||||||
|
This is a personal portfolio project, so there is no formal long-term support schedule. Security
|
||||||
|
fixes are applied to the current main branch when issues are confirmed and within the practical
|
||||||
|
maintenance capacity of the project.
|
||||||
|
|
||||||
|
## Reporting A Vulnerability
|
||||||
|
|
||||||
|
Please do not open a public issue for a security vulnerability.
|
||||||
|
|
||||||
|
Report security concerns privately to the repository maintainer. Include as much detail as you can:
|
||||||
|
|
||||||
|
- a description of the vulnerability;
|
||||||
|
- steps to reproduce the issue;
|
||||||
|
- affected routes, commands, files, or configuration;
|
||||||
|
- the potential impact;
|
||||||
|
- any suggested fix or mitigation, if you have one.
|
||||||
|
|
||||||
|
You can expect a best-effort response acknowledging the report, followed by validation and a fix when
|
||||||
|
the issue is reproducible and in scope.
|
||||||
|
|
||||||
|
## Security Scope
|
||||||
|
|
||||||
|
The most important security areas for this project are:
|
||||||
|
|
||||||
|
- local authentication and session handling;
|
||||||
|
- watchlist and playback progress data;
|
||||||
|
- playback proxy tokens and signed stream access;
|
||||||
|
- subtitle and playlist proxying;
|
||||||
|
- external provider integration boundaries;
|
||||||
|
- SQLite database access and migrations;
|
||||||
|
- configuration loaded from environment variables or `.env` files.
|
||||||
|
|
||||||
|
Reports involving these areas are especially useful.
|
||||||
|
|
||||||
|
## Out Of Scope
|
||||||
|
|
||||||
|
The following are generally out of scope unless they expose a direct application vulnerability:
|
||||||
|
|
||||||
|
- issues that require full local machine access;
|
||||||
|
- denial-of-service reports against a local development server;
|
||||||
|
- vulnerabilities in third-party services outside this repository;
|
||||||
|
- missing production hardening for deployments that are not documented or supported by the project;
|
||||||
|
- social engineering or physical attacks.
|
||||||
|
|
||||||
|
## Operational Notes
|
||||||
|
|
||||||
|
This application is designed to be self-hosted and local-first. If you deploy it beyond a private
|
||||||
|
local environment, you are responsible for the surrounding production controls, including TLS, network
|
||||||
|
access, backups, secrets management, reverse proxy configuration, logging retention, and dependency
|
||||||
|
monitoring.
|
||||||
|
|
||||||
|
Use a strong `PLAYBACK_PROXY_SECRET` if playback proxy token signing is enabled. Do not commit real
|
||||||
|
secrets, provider tokens, session data, or production databases to the repository.
|
||||||
|
|
||||||
|
## Dependency Security
|
||||||
|
|
||||||
|
Dependencies are managed through Go modules and Bun. When updating dependencies, run the normal local
|
||||||
|
checks before merging:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
just check
|
||||||
|
```
|
||||||
|
|
||||||
|
Security-related dependency updates should be kept small and reviewed separately when possible.
|
||||||
Reference in New Issue
Block a user