If you discover a security vulnerability in the OCPP DebugKit website, please report it responsibly:
- Do not open a public GitHub issue.
- Go to github.com/ocpp-debugkit/website/security/advisories/new and create a private security advisory.
- Include a description of the vulnerability, steps to reproduce, and potential impact.
- You will receive an acknowledgment within 48 hours.
- We will investigate and work with you on a fix before any public disclosure.
This site includes an in-browser trace inspector that processes untrusted input (trace files and pasted content). The following principles are enforced:
- Browser-local processing — traces are parsed and analyzed entirely in the browser. Trace content is never uploaded to a server.
- Input validation and size limits — file-size and event-count limits are
enforced on trace input (via
@ocpp-debugkit/toolkit). - Safe JSON parsing — try/catch with size guards on all untrusted input.
- No dynamic code execution — no
eval(),Function(), or similar on untrusted input. - Safe rendering — no
dangerouslySetInnerHTMLor unsafe HTML injection of user content. - No secrets in committed files — no credentials, API keys, or tokens.
This policy applies to this repository (the marketing site, docs, and the
in-browser inspector). It does not apply to user-loaded traces or
runtime-generated reports — those contain the user's own data and are processed
locally in the browser. Vulnerabilities in the underlying library belong in the
toolkit repo; vulnerabilities in
the native app belong in studio.