Skip to content
This repository was archived by the owner on Jun 22, 2026. It is now read-only.
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
<img src="https://img.shields.io/badge/SQLite-3-003B57?logo=sqlite&logoColor=white" alt="SQLite" />
<img src="https://img.shields.io/badge/Docker-ready-2496ED?logo=docker&logoColor=white" alt="Docker ready" />
<img src="https://img.shields.io/badge/Frontend-server--rendered-111827" alt="Server rendered UI" />
<img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT" />
</p>

---
Expand Down Expand Up @@ -335,7 +336,7 @@ Presentation-layer note:
### Offline and connectivity

- the app shell and previously fetched `GET /api/items` views are cached by the service worker for offline reuse
- this offline/PWA behavior requires a secure-context origin where service workers are available (for example `localhost` or HTTPS); plain HTTP network IP origins such as `http://100.94.224.102:9002` do not get service-worker-based offline reopen support on iOS
- this offline/PWA behavior requires a secure-context origin where service workers are available (for example `localhost` or HTTPS); plain HTTP network IP origins such as `http://100.94.224.102:9[...]
- when the browser goes offline, a no-wifi indicator appears before the refresh button instead of showing connectivity toasts
- if an offline view has no cached `/api/items` response yet, the list is replaced with `Offline and no cached items are available for this view yet.`
- when the browser comes back online, the no-wifi indicator disappears and the current view is re-fetched silently from `/api/items`
Expand Down Expand Up @@ -415,6 +416,18 @@ docker run --rm -v "$PWD":/src -w /src golang:1.24-bookworm go test ./...

---

## Security

For security concerns, please email [hi@boringcode.dev](mailto:hi@boringcode.dev) instead of using the issue tracker. See [SECURITY.md](SECURITY.md) for more details.

---

## License

This project is licensed under the MIT License — see the [LICENSE](LICENSE) file for details.

---

## Repository hygiene

The SQLite runtime data directory is intentionally ignored:
Expand Down
60 changes: 60 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Security Policy

## Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability in feedreader, please report it responsibly by emailing [hi@boringcode.dev](mailto:hi@boringcode.dev) instead of using the public issue tracker.

When reporting a security issue, please include:

- A description of the vulnerability
- Steps to reproduce the issue (if applicable)
- The affected version(s)
- Any potential impact or proof of concept

We will acknowledge your report within 48 hours and work with you to understand and resolve the issue promptly.

## Security Considerations for Deployment

Since feedreader is a self-hosted application, the following best practices are recommended:

### Network Security

- Run feedreader behind a reverse proxy (nginx, Caddy, etc.) with TLS/HTTPS enabled
- Use a firewall to restrict access to the application
- Consider running the application in an isolated network segment

### Data Security

- Store the SQLite database file on an encrypted filesystem
- Regularly back up the database
- Ensure proper file permissions on the data directory

### Container Security

- Keep the base Docker image and Go runtime updated
- Run the container with minimal required privileges
- Use secrets management for sensitive configuration values

### Dependency Management

- Monitor dependencies for security updates
- Keep Go and other dependencies current

## Supported Versions

Security updates will be provided for:

- The current release and latest version
- The previous minor version if critical

## Disclosure Timeline

We aim to:

1. Acknowledge receipt of the report within 48 hours
2. Begin investigation and reproduce the issue
3. Develop and test a fix
4. Publish a security release (if needed)
5. Notify the reporter of the resolution

We appreciate your responsible disclosure and will credit you appropriately unless you prefer to remain anonymous.
Loading