We support the latest version of PodWeb with security updates.
| Version | Supported |
|---|---|
| latest | ✅ |
- Never commit sensitive data like API keys or tokens to the repository
- Use the
.envfile for configuration (excluded by.gitignore) - In production, use proper secrets management
- PodWeb proxies external images to avoid CORS issues
- All external requests are logged for monitoring
- Consider running behind a reverse proxy (nginx, Traefik) in production
- Feed history is stored locally in Docker volumes
- No personal data is collected or transmitted
- YouTube playlist metadata is fetched server-side to protect user privacy
- Containers run as non-root users where possible
- Use official base images (node:18-alpine, nginx:alpine)
- Regular security updates are recommended
If you discover a security vulnerability, please:
- Do not open a public issue
- Email security details to: [security email here]
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and work with you to resolve the issue.
- Use HTTPS in production
- Set up proper firewall rules
- Monitor logs for suspicious activity
- Keep Docker images updated
- Use strong, unique tokens if authentication is enabled
- Consider rate limiting for public deployments