diff --git a/README.md b/README.md index 8277480..ce26716 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,7 @@ SQLite Docker ready Server rendered UI + License: MIT

--- @@ -335,7 +336,7 @@ Presentation-layer note: ### Offline and connectivity - the app shell and previously fetched `GET /api/items` views are cached by the service worker for offline reuse -- this offline/PWA behavior requires a secure-context origin where service workers are available (for example `localhost` or HTTPS); plain HTTP network IP origins such as `http://100.94.224.102:9002` do not get service-worker-based offline reopen support on iOS +- this offline/PWA behavior requires a secure-context origin where service workers are available (for example `localhost` or HTTPS); plain HTTP network IP origins such as `http://100.94.224.102:9[...] - when the browser goes offline, a no-wifi indicator appears before the refresh button instead of showing connectivity toasts - if an offline view has no cached `/api/items` response yet, the list is replaced with `Offline and no cached items are available for this view yet.` - when the browser comes back online, the no-wifi indicator disappears and the current view is re-fetched silently from `/api/items` @@ -415,6 +416,18 @@ docker run --rm -v "$PWD":/src -w /src golang:1.24-bookworm go test ./... --- +## Security + +For security concerns, please email [hi@boringcode.dev](mailto:hi@boringcode.dev) instead of using the issue tracker. See [SECURITY.md](SECURITY.md) for more details. + +--- + +## License + +This project is licensed under the MIT License — see the [LICENSE](LICENSE) file for details. + +--- + ## Repository hygiene The SQLite runtime data directory is intentionally ignored: diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..803eb7a --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,60 @@ +# Security Policy + +## Reporting a Vulnerability + +We take security seriously. If you discover a security vulnerability in feedreader, please report it responsibly by emailing [hi@boringcode.dev](mailto:hi@boringcode.dev) instead of using the public issue tracker. + +When reporting a security issue, please include: + +- A description of the vulnerability +- Steps to reproduce the issue (if applicable) +- The affected version(s) +- Any potential impact or proof of concept + +We will acknowledge your report within 48 hours and work with you to understand and resolve the issue promptly. + +## Security Considerations for Deployment + +Since feedreader is a self-hosted application, the following best practices are recommended: + +### Network Security + +- Run feedreader behind a reverse proxy (nginx, Caddy, etc.) with TLS/HTTPS enabled +- Use a firewall to restrict access to the application +- Consider running the application in an isolated network segment + +### Data Security + +- Store the SQLite database file on an encrypted filesystem +- Regularly back up the database +- Ensure proper file permissions on the data directory + +### Container Security + +- Keep the base Docker image and Go runtime updated +- Run the container with minimal required privileges +- Use secrets management for sensitive configuration values + +### Dependency Management + +- Monitor dependencies for security updates +- Keep Go and other dependencies current + +## Supported Versions + +Security updates will be provided for: + +- The current release and latest version +- The previous minor version if critical + +## Disclosure Timeline + +We aim to: + +1. Acknowledge receipt of the report within 48 hours +2. Begin investigation and reproduce the issue +3. Develop and test a fix +4. Publish a security release (if needed) +5. Notify the reporter of the resolution + +We appreciate your responsible disclosure and will credit you appropriately unless you prefer to remain anonymous.