Please report security vulnerabilities privately. Do not open a public GitHub issue for security problems.
Email lukasz@postsider.com with:
- a description of the issue and its impact,
- steps to reproduce (proof of concept if possible),
- affected version / commit.
You will get an acknowledgement within 72 hours and a remediation plan once the report is triaged. Please give us a reasonable window to ship a fix before any public disclosure. We are happy to credit reporters who want it.
Security fixes target the latest main. Self-hosters should track tagged
releases and apply updates promptly (docker compose pull && up -d).
PostSider is built with the following protections:
- Secrets at rest — provider credentials and reversible secrets are
encrypted (AES-256-GCM when
ENCRYPTION_KEYis set, legacy AES-256-CBC otherwise). Passwords are hashed with bcrypt. - Startup guard — the app refuses to boot without
JWT_SECRETand aborts ifNOT_SECUREDis enabled in production. - HTTP hardening — strict CORS allow-list, security headers (CSP,
X-Frame-Options, HSTS in production),httpOnly/securecookies. - SSRF protection — outbound webhook and inbound delivery requests use an SSRF-safe dispatcher that blocks internal / link-local addresses.
- Rate limiting — Redis-backed global throttler plus a dedicated guard on authentication endpoints.
- Uploads — magic-byte validation, MIME allow-list, SVG rejected, size limits enforced.
- Database — all access via Prisma (parameterized); no raw SQL on user input.
CI runs pnpm audit on every push. Known transitive advisories are pinned to
patched versions via overrides in pnpm-workspace.yaml. Operators who want to
verify can run:
pnpm audit --prodmulter@1.x(used transitively for multipart uploads) carries a DoS advisory fixed in2.x. The 2.x line is a breaking change and is being validated before adoption; upload size limits already mitigate the practical impact.
- Set a strong, unique
JWT_SECRETand a separateENCRYPTION_KEY. - Serve only over HTTPS (terminate TLS at your reverse proxy).
- Keep
NOT_SECURED=false(the default). - Set
DISABLE_REGISTRATION=trueafter creating your account. - Restrict database / Redis / MinIO ports to localhost or a private network.
- Keep
POLAR_*and OAuth secrets out of version control (use.env.production, which is git-ignored).