We release security updates for the following versions:

We take the security of OpenShort.link seriously. If you discover a security vulnerability, please report it responsibly.

Email: contact@openshort.link

Please include:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Suggested fix (if you have one)
• Your name/handle for credit (optional)

• Initial Response: Within 48-72 hours
• Status Update: We'll keep you informed of our progress
• Resolution Timeline: We aim to address critical issues within 7 days
• Public Disclosure: After a fix is deployed, we'll coordinate disclosure timing with you

Security researchers who responsibly disclose vulnerabilities will be:

• Publicly credited in our release notes (unless you prefer to remain anonymous)
• Listed in our security acknowledgments
• Given a contributor badge on GitHub

We appreciate your efforts to improve the security of OpenShort.link and the broader community.

OpenShort.link implements multiple layers of security to protect your data and infrastructure:

• Multi-Factor Authentication (MFA): TOTP-based two-factor authentication for enhanced account security
• Role-Based Access Control (RBAC): Four permission levels (owner, admin, user, analyst) with granular access controls
• No Public Registration: Only administrators can create new user accounts
• Session Management: Secure, HttpOnly cookies with SameSite protection and 7-day expiration
• Password Security: PBKDF2 hashing with 100,000 iterations and SHA-256

• API Key Authentication: Secure token-based authentication for programmatic access
• Domain Scoping: Restrict API keys to specific domains
• IP Whitelisting: Limit API access to trusted IP addresses
• Rate Limiting: Protection against brute-force attacks and API abuse

Application-level rate limiting protects against abuse:

• Login Attempts: 5 failed attempts per 2 hours (configurable for testing environments)
• API Endpoints: Configurable rate limits per endpoint
• Registration: 3 new user registrations per hour

Built on Cloudflare's secure infrastructure:

• Edge Computing: All requests processed at Cloudflare's global edge network
• DDoS Protection: Automatic protection against distributed denial-of-service attacks
• SSL/TLS: All traffic encrypted in transit
• Serverless Architecture: No servers to patch or maintain

For production deployments, we recommend configuring Cloudflare WAF (Web Application Firewall) rules:

Limit dashboard and API access to trusted IP addresses:

Rule: (http.request.uri.path starts with "/dashboard" or http.request.uri.path starts with "/api") 
      and ip.src not in {your.trusted.ip.address}
Action: Block

Block access from unauthorized countries:

Rule: (http.request.uri.path starts with "/dashboard" or http.request.uri.path starts with "/api") 
      and ip.geoip.country not in {"US" "GB" "AU"}
Action: Block

Add edge-level rate limiting:

Rule: http.request.uri.path starts with "/dashboard" or http.request.uri.path starts with "/api"
Limit: 100 requests per 10 minutes
Action: Block for 1 hour

See the README.md for detailed configuration instructions.

• Critical vulnerabilities: Patched and released as soon as possible (target: within 7 days)
• High severity: Released within 30 days
• Medium/Low severity: Included in the next scheduled release

Security updates are announced via:

• GitHub Security Advisories
• Release notes
• Project discussions

When deploying OpenShort.link, follow these best practices:

1. Use Strong Secrets

   • Generate SETUP_TOKEN with openssl rand -hex 32
   • Never commit secrets to version control
   • Rotate API tokens regularly

2. Enable MFA

   • Require MFA for all administrator accounts
   • Use authenticator apps (not SMS)

3. Configure Cloudflare WAF

   • Implement IP restrictions for dashboard access
   • Enable rate limiting at the edge
   • Monitor security events regularly

4. Regular Updates

   • Keep your deployment up to date with the latest releases
   • Subscribe to security advisories
   • Test updates in a staging environment first

5. Monitor Access Logs

   • Review Cloudflare Analytics for suspicious activity
   • Set up alerts for unusual traffic patterns
   • Audit user access regularly

6. Principle of Least Privilege

   • Grant users the minimum required permissions
   • Regularly audit user roles and access
   • Revoke access for inactive user accounts

7. Trust and Access Control

   • Only grant user accounts to trusted individuals
   • Verify identity before creating admin or owner accounts
   • Limit API key distribution to authorized personnel only
   • Treat API keys like passwords - never share publicly
   • Revoke access immediately when team members leave

This security policy applies to:

• The OpenShort.link application code
• Official deployment methods and documentation
• Dependencies managed in package.json

Out of Scope:

• Third-party Cloudflare infrastructure (report to Cloudflare directly)
• User-specific configurations and customizations
• Social engineering attacks

For security-related questions or concerns:

• Email: contact@openshort.link
• GitHub Issues: For non-sensitive security discussions
• GitHub Security Advisories: For coordinated vulnerability disclosure

Thank you for helping keep OpenShort.link and our community safe!