GitHub/kill-the-news
1
0
Fork 0
mirror of https://github.com/juherr/kill-the-news.git synced 2026-06-20 22:03:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
kill-the-news/SECURITY.md
T
Julien Herr 7f5b913576 docs: add SECURITY.md and CONTRIBUTING.md 
Add a security policy with private reporting channels and project-specific
scope, plus a contributor guide covering dev setup, testing, and commit
conventions. Drop the stale AGENTS.md reference from CLAUDE.md.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-23 22:18:57 +02:00

62 lines
2.5 KiB
Markdown
Raw Permalink Blame History

# Security Policy
## Supported versions
kill-the-news is a self-hosted, single-Worker application. Only the latest
release on the `main` branch receives security fixes. If you run a fork or an
older deployment, update to the latest `main` before reporting an issue.
## Reporting a vulnerability
**Please do not open a public GitHub issue for security problems.**
Report privately through one of:
- [GitHub Security Advisories](https://github.com/juherr/kill-the-news/security/advisories/new) (preferred)
- Email: me@juherr.dev
Please include:
- A description of the issue and its impact
- Steps to reproduce (proof-of-concept if possible)
- Affected route, file, or configuration
- Any suggested remediation
You can expect an acknowledgement within a few days. Since this is a
volunteer-maintained project, fix timelines depend on severity and
availability, but credible reports are taken seriously. Coordinated disclosure
is appreciated — please give a reasonable window for a fix before going public.
## Scope
Because this Worker ingests email and exposes feeds, the security-sensitive
surface includes:
- **Admin authentication** — password handling, the signed session cookie, and
constant-time secret comparison (`ADMIN_PASSWORD`, `PROXY_AUTH_SECRET`).
- **Inbound ingestion** — the ForwardEmail webhook (`POST /api/inbound`),
IP allowlisting, and the Cloudflare Email Workers handler.
- **Email rendering** — HTML sanitization for stored emails and feed output
(XSS via `entries/`, `rss/`, `atom/`, inline `cid:` images).
- **Public endpoints** — `GET /`, `GET /api/stats`, `GET /rss/:feedId`,
`GET /atom/:feedId`, `GET /files/:attachmentId/:filename`,
`GET /favicon/:feedId`.
### Out of scope
- Vulnerabilities in Cloudflare, ForwardEmail, or other third-party
infrastructure (report those to the respective vendor).
- Misconfiguration of a self-hosted deployment (e.g. a weak `ADMIN_PASSWORD`,
an exposed `workers.dev` subdomain, or committing secrets). See the security
notes in [README.md](README.md) and [INSTALL.md](INSTALL.md).
- Denial of service from sending large volumes of email.
## Hardening reminders for operators
- Use a strong, unique `ADMIN_PASSWORD` and rotate it periodically.
- Set `ADMIN_PASSWORD` via `wrangler secret put` — never in config files.
- Disable the `workers.dev` subdomain in production (`workers_dev = false`),
since `CF-Connecting-IP` can be spoofed on direct `workers.dev` requests.
- Set per-feed `Allowed senders` for high-value feeds.
- Never commit `wrangler.toml` or `.dev.vars` (both are gitignored).
Reference in New Issue View Git Blame Copy Permalink