GitHub/kill-the-news
1
0
Fork 0
mirror of https://github.com/juherr/kill-the-news.git synced 2026-06-20 22:03:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8a0dbf25b0b2b9bd2d44b869aeeeabdd902a35bf
kill-the-news/SECURITY.md
T
Julien Herr 7f5b913576 docs: add SECURITY.md and CONTRIBUTING.md 
Add a security policy with private reporting channels and project-specific
scope, plus a contributor guide covering dev setup, testing, and commit
conventions. Drop the stale AGENTS.md reference from CLAUDE.md.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-23 22:18:57 +02:00

2.5 KiB
Raw Blame History

Security Policy

Supported versions

kill-the-news is a self-hosted, single-Worker application. Only the latest release on the main branch receives security fixes. If you run a fork or an older deployment, update to the latest main before reporting an issue.

Reporting a vulnerability

Please do not open a public GitHub issue for security problems.

Report privately through one of:

Please include:

  • A description of the issue and its impact
  • Steps to reproduce (proof-of-concept if possible)
  • Affected route, file, or configuration
  • Any suggested remediation

You can expect an acknowledgement within a few days. Since this is a volunteer-maintained project, fix timelines depend on severity and availability, but credible reports are taken seriously. Coordinated disclosure is appreciated — please give a reasonable window for a fix before going public.

Scope

Because this Worker ingests email and exposes feeds, the security-sensitive surface includes:

  • Admin authentication — password handling, the signed session cookie, and constant-time secret comparison (ADMIN_PASSWORD, PROXY_AUTH_SECRET).
  • Inbound ingestion — the ForwardEmail webhook (POST /api/inbound), IP allowlisting, and the Cloudflare Email Workers handler.
  • Email rendering — HTML sanitization for stored emails and feed output (XSS via entries/, rss/, atom/, inline cid: images).
  • Public endpointsGET /, GET /api/stats, GET /rss/:feedId, GET /atom/:feedId, GET /files/:attachmentId/:filename, GET /favicon/:feedId.

Out of scope

  • Vulnerabilities in Cloudflare, ForwardEmail, or other third-party infrastructure (report those to the respective vendor).
  • Misconfiguration of a self-hosted deployment (e.g. a weak ADMIN_PASSWORD, an exposed workers.dev subdomain, or committing secrets). See the security notes in README.md and INSTALL.md.
  • Denial of service from sending large volumes of email.

Hardening reminders for operators

  • Use a strong, unique ADMIN_PASSWORD and rotate it periodically.
  • Set ADMIN_PASSWORD via wrangler secret put — never in config files.
  • Disable the workers.dev subdomain in production (workers_dev = false), since CF-Connecting-IP can be spoofed on direct workers.dev requests.
  • Set per-feed Allowed senders for high-value feeds.
  • Never commit wrangler.toml or .dev.vars (both are gitignored).
Reference in New Issue View Git Blame Copy Permalink