If you discover a security vulnerability, please report it responsibly:
- Do not open a public issue
- Email the maintainers with details of the vulnerability
- Allow time for the issue to be addressed before public disclosure
- Self-hosted: All data stays on your server
- No external services: No third-party analytics, tracking, or data collection
- No telemetry: The application does not phone home
- Non-root execution: Container runs as unprivileged user
- Minimal base image: Node 20 Alpine for reduced attack surface
- Security context: OpenShift-compatible security settings
- Capability dropping: All Linux capabilities dropped
- TLS support: Configure via reverse proxy (nginx, OpenShift Route)
- Security headers: X-Frame-Options, X-Content-Type-Options, etc.
- Health endpoints:
/healthand/readyfor monitoring
Team passwords provide access control but are stored as-is in the database. For production deployments:
- Use strong, unique passwords for each team
- Consider network-level access controls
- Deploy behind a VPN or authenticated proxy for sensitive environments
- SQLite database is unencrypted at rest
- Ensure the data volume has appropriate filesystem permissions
- Regular backups are recommended
The Socket.IO server accepts connections from any origin by default. For production:
- Deploy behind a reverse proxy that handles CORS
- Use network policies to restrict access
- SMTP credentials are passed via environment variables
- Do not commit credentials to source control
- Use secrets management in Kubernetes/OpenShift
- Deploy behind a reverse proxy (nginx, Traefik, or platform ingress)
- Enable TLS for all connections
- Use network policies to restrict pod-to-pod communication
- Mount secrets for SMTP credentials instead of environment variables
- Regular updates of the base image and dependencies
Run regular security audits:
npm auditUpdate dependencies regularly to address known vulnerabilities.
Security updates are provided for the latest release only. We recommend always running the latest version.