Only the latest release in the 0.1.x series is actively supported.

To report a vulnerability, use GitHub Security Advisories (private disclosure):

https://github.com/d-oit/do-epub-studio/security/advisories/new

Do not open a public issue or discussion for a vulnerability.

To protect against brute-force attacks and denial-of-service, the following rate limits are enforced:

• Auth Endpoints (/api/access/request, /api/admin/login, etc.): 10 requests per minute.
• File Endpoints (/api/files/*, etc.): 30 requests per minute.
• General API Endpoints: 60 requests per minute.

Limits are applied per IP address and, where applicable, per authentication token. Exceeding these limits will result in a 429 Too Many Requests response with a Retry-After header.

Vulnerabilities in the following locations are in scope:

• apps/**
• packages/**

To mitigate supply chain risks, the following policies are enforced:

• GitHub Actions SHA Pinning: All GitHub Actions used in workflows MUST be pinned to a full 40-character commit SHA. Mutable tags (e.g., @v4) are prohibited except in comments for readability.
• Automated Auditing: Workflows are continuously audited using OpenSSF Scorecard and validated with actionlint and zizmor during the CI process.
• Dependabot: Dependabot is configured to provide automated updates for GitHub Actions SHAs.

The following are out of scope:

• Third-party dependencies (report to upstream maintainers)
• Social engineering attacks
• Denial of service via legitimate API rate usage
• Theoretical attacks without a proven exploit

• ADR-034 (ReDoS)
• ADR-035 (Content Security Policy)
• docs/security.md

The application enforces strict CSP headers across all Worker responses and EPUB content.

• Frontend Application: Restrict resource loading to 'self' and the API domain. Framing is disabled (frame-ancestors 'none'). Inline styles are permitted via 'unsafe-inline' to support dynamic styling in React/Framer Motion.
• API Responses: Restrict resource loading to 'self' and authorized domains. Framing is disabled (frame-ancestors 'none').
• EPUB Content: Rendered in a sandboxed iframe with restricted permissions. The response header further restricts script execution and network access.
• Reporting: All violations are reported to /api/csp-report.

The Worker API implements a centralized validation layer using Hono and Zod.

• Schema Enforcement: Every API endpoint that accepts a request body or query parameters is protected by a Zod schema from @do-epub-studio/shared.
• Validation Middleware: Request validation is performed by the zValidator middleware. Requests that do not conform to the schema are automatically rejected with a 400 Bad Request status and detailed error information.
• No Raw Input: Use of raw request.json() in route handlers is strictly prohibited. Handlers must receive validated, typed data from the Hono context.