| Version | Supported |
|---|---|
| 1.0.x | ✅ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing the maintainer directly. Include:
- Description: Detailed description of the vulnerability
- Impact: What an attacker could potentially do
- Steps to Reproduce: How to reproduce the issue
- Proof of Concept: If applicable (but please be responsible)
- Suggested Fix: If you have ideas on how to fix it
You should receive a response within 48 hours. If the issue is confirmed, we will:
- Work on a fix
- Release a security patch
- Credit you for the discovery (unless you prefer to remain anonymous)
Critical: Never hardcode API keys in your code or commit them to version control.
# GOOD: Use environment variables
export BRIDGE_API_KEY="$(openssl rand -base64 32)"
./bridge
# BAD: Hardcoded in code
# const apiKey = "my-secret-key" // DON'T DO THISGenerate cryptographically secure API keys:
# Generate a strong random API key (32 bytes, base64 encoded)
openssl rand -base64 32
# Or use uuidgen
uuidgen-
Use HTTPS in Production
- Run the bridge behind a reverse proxy (nginx, Caddy, Traefik)
- Enable TLS/SSL certificates (Let's Encrypt recommended)
Example nginx configuration:
server { listen 443 ssl http2; server_name bridge.example.com; ssl_certificate /path/to/cert.pem; ssl_certificate_key /path/to/key.pem; location / { proxy_pass http://localhost:8080; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; } }
-
Firewall Configuration
- Only expose the bridge port to trusted networks
- Use firewall rules to restrict access
# Example: Allow only from specific IP ufw allow from 192.168.1.0/24 to any port 8080 -
Rate Limiting
- Implement rate limiting at the reverse proxy level
- Prevent brute-force attacks on the API key
-
Separate API Keys
- Use different API keys for different environments (dev, staging, production)
- Rotate API keys regularly
-
Principle of Least Privilege
- Only grant access to systems that need it
- Use network segmentation when possible
-
Enable Logging
- Monitor bridge access logs
- Set up alerts for suspicious activity
-
Log Rotation
- Implement log rotation to prevent disk space issues
- Retain logs for security auditing
- API key is strong and randomly generated
- API key is stored in environment variable (not hardcoded)
- Bridge runs behind HTTPS reverse proxy in production
- Firewall rules restrict access to trusted networks
- Rate limiting is enabled
- Logs are monitored
- System and dependencies are up to date
- Unnecessary services are disabled
- File permissions are properly set (
chmod 700 bridge)
If running in Docker:
-
Use environment variables for secrets
# docker-compose.yml services: bridge: environment: - BRIDGE_API_KEY=${BRIDGE_API_KEY}
-
Run as non-root user
USER nobody -
Limit container capabilities
security_opt: - no-new-privileges:true cap_drop: - ALL
- Keep Go runtime updated
- Monitor for security advisories
- Update dependencies regularly
Earlier versions logged the full API key on startup. This has been fixed in v1.0.0 - only the last 4 characters are now shown.
If using an older version, avoid logging to public locations.
The bridge itself does not implement HTTPS. You must use a reverse proxy with TLS in production. Running the bridge directly exposed to the internet over HTTP is insecure.
The in-game Lua environment has limitations:
- The FicsIt-Networks mod may have its own security considerations
- Network communication happens over game protocols
- Consider the security implications of allowing game control
- Day 0: Vulnerability reported
- Day 1-2: Confirmation and assessment
- Day 3-14: Development and testing of fix
- Day 14: Security patch released
- Day 14+: Public disclosure (after users have time to update)
Contributors who responsibly disclose security vulnerabilities will be listed here (with permission).
Last Updated: 2026-02-13