marketing-shibata50/tududi
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tududi/SECURITY.md
Chris Veleris d0549408e9 Add security guide
2025-11-01 08:10:01 +02:00

3.1 KiB
Raw Blame History

Security Policy

Supported Versions

We release security updates for the following versions of tududi:

Version Supported
0.85.x
< 0.85

We recommend always running the latest version to ensure you have the latest security patches.

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in tududi, please report it privately to help us fix it before public disclosure.

How to Report

  1. Email: Send details to the repository owner via GitHub or open a Security Advisory

  2. Include in your report:

    • Description of the vulnerability
    • Steps to reproduce the issue
    • Potential impact
    • Suggested fix (if you have one)
    • Your contact information

What to Expect

  • Acknowledgment: We'll acknowledge receipt of your report within 48 hours
  • Updates: We'll keep you informed about the progress of fixing the issue
  • Timeline: We aim to release a fix within 30 days for critical vulnerabilities
  • Credit: We'll credit you in the security advisory (unless you prefer to remain anonymous)

Security Best Practices

When deploying tududi, we recommend:

Production Deployment

  • Use strong passwords: Set secure TUDUDI_USER_PASSWORD and TUDUDI_SESSION_SECRET
  • HTTPS only: Always use HTTPS in production (reverse proxy with Let's Encrypt)
  • Keep updated: Regularly update to the latest version
  • Secure database: Protect database files with proper permissions
  • Environment variables: Never commit .env files or secrets to version control
  • Backup regularly: Keep secure backups of your database

Docker Security

# Generate strong session secret
TUDUDI_SESSION_SECRET=$(openssl rand -hex 64)

# Use secure volumes with proper permissions
chmod 700 ~/tududi_db
chmod 700 ~/tududi_uploads

Self-Hosting Checklist

  • Strong, unique passwords for all accounts
  • HTTPS enabled with valid certificate
  • Database files protected (not publicly accessible)
  • Regular security updates applied
  • Firewall configured to restrict access
  • Regular backups scheduled

Known Security Considerations

Authentication & Sessions

  • Sessions use express-session with secure settings
  • Passwords are hashed with bcrypt
  • Session secrets should be cryptographically random (64+ characters)

Data Storage

  • SQLite database stores all user data
  • Uploads are stored in the filesystem
  • Ensure proper file permissions on production servers

Telegram Integration

  • Bot tokens are sensitive credentials
  • Store TELEGRAM_BOT_TOKEN securely
  • Never expose tokens in logs or error messages

Security Updates

Security updates are released as patch versions (e.g., 0.85.1 → 0.85.2). Critical vulnerabilities may warrant immediate releases.

Subscribe to GitHub Releases or watch the repository to be notified of security updates.

Thank you for helping keep tududi and its users secure!