If you discover a security vulnerability in rustfava, please report it through GitHub's private vulnerability reporting:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Provide details about the vulnerability
We will respond within 48 hours and work with you to address the issue.
Please do not open public issues for security vulnerabilities.
When deploying rustfava in production, consider the following security headers:
# Example Flask middleware for security headers
@app.after_request
def set_security_headers(response):
response.headers['X-Content-Type-Options'] = 'nosniff'
response.headers['X-Frame-Options'] = 'DENY'
response.headers['X-XSS-Protection'] = '1; mode=block'
response.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
return responseFor production deployments behind a reverse proxy (nginx, Caddy, etc.):
- Use HTTPS with valid certificates
- Set appropriate
Content-Security-Policyheaders - Enable HSTS (HTTP Strict Transport Security)
- Restrict access to trusted networks if handling sensitive financial data
Never commit sensitive data. Use environment variables for:
- API keys and tokens
- Database credentials
- Secret keys for session management
This repository uses:
- Dependabot: Automated dependency updates for security patches
- CodeQL: Static analysis for Python and JavaScript vulnerabilities