Only the latest version on the main branch receives security fixes.
| Branch | Supported |
|---|---|
main |
Yes |
| older tags | No |
Do not open a public GitHub issue for security vulnerabilities.
Please report security issues by emailing the maintainer directly. Include:
- A clear description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fix (optional but appreciated)
You can expect an acknowledgement within 48 hours and a resolution or mitigation plan within 14 days. We will credit reporters in the release notes unless you prefer to remain anonymous.
The following are in scope:
- Authentication and authorisation bypass
- SQL injection or ORM query manipulation
- Sensitive data exposure (tokens, passwords, PII)
- Cross-site scripting (XSS) in rendered content
- Server-side request forgery (SSRF)
- Insecure file upload handling
The following are out of scope:
- Denial-of-service attacks requiring large volumes of requests
- Issues in third-party dependencies that have already been publicly disclosed (open an issue linking the CVE instead)
- Rate limiting gaps on non-sensitive endpoints
- Set a strong
SECRET_KEY(at minimum 32 random bytes) - Never expose the backend port (
8000) directly to the public internet — proxy through nginx or a similar reverse proxy - Restrict
UPLOAD_DIRpermissions to the application user only - Use HTTPS in production; set
SECURE_COOKIES=trueif you add cookie-based auth - Rotate
GROQ_API_KEYand database credentials regularly