ulsklyc
1.4 KiB
1.4 KiB
Security Policy
Reporting a Vulnerability
If you discover a security vulnerability in Oikos, please report it responsibly. Do not open a public issue.
Email: ulsklyc@gmail.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
You should receive an acknowledgment within 48 hours. Fixes for confirmed vulnerabilities will be released as soon as possible.
Scope
Oikos is designed for self-hosted deployment on a private network behind a reverse proxy with SSL. The security model assumes:
- The server is not directly exposed to the public internet without Nginx + TLS
- The admin controls all user accounts (no public registration)
- The host machine itself is reasonably secured
Vulnerabilities that require physical access to the host or root on the server are generally out of scope.
Security Features
- Session-based auth with
httpOnly,SameSite=Strict,Securecookies - CSRF protection via Double Submit Cookie on all state-changing requests
- Passwords hashed with bcrypt (cost factor 12)
- Login rate limiting (5 attempts/min per IP)
- API rate limiting (300 requests/min per IP)
- Content Security Policy via Helmet (
self-only) - Optional SQLCipher AES-256 database encryption
- No API endpoint accessible without session auth (except login)
Supported Versions
Only the latest version on main receives security updates. There are no LTS branches.