Skip to content

Security

Reporting vulnerabilities

Report security issues via GitHub private vulnerability reporting. Include a description, steps to reproduce, and potential impact. Only maintainers can see the report until a fix is released.

Self-hosting checklist

  • Change all default JWT secrets — generate with openssl rand -base64 32
  • Use HTTPS with valid TLS certificates
  • Restrict network access to PostgreSQL and Redis (don't expose ports publicly)
  • Enable authentication on all database connections
  • Keep images updated — watch for Dependabot alerts
  • Back up PostgreSQL regularly