| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability in Domäjner, please report it responsibly.
Please do NOT create a public issue for security vulnerabilities.
Instead, please email security details to: [your-security-email@domain.com]
Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if you have one)
- Acknowledgment: We'll acknowledge receipt within 24 hours
- Assessment: Initial assessment within 72 hours
- Updates: Regular updates on our progress
- Resolution: We aim to resolve critical issues within 7 days
Domäjner implements several security measures:
- Cryptographically secure random token generation using
crypto.randomBytes() - 30-minute token expiration
- One-time use enforcement
- Automatic cleanup of expired tokens
- Email domain whitelist validation
- Admin password protection
- Session-based authentication
- Input validation and sanitization
- URL rewriting for anonymity
- Header filtering and sanitization
- XSS protection
- Request/response validation
- Docker containerization with non-root user
- Health check endpoints
- Logging and monitoring
- Environment variable protection
When deploying Domäjner:
- Use HTTPS: Always deploy behind HTTPS
- Strong passwords: Use strong admin passwords
- Regular updates: Keep dependencies updated
- Domain validation: Carefully configure allowed domains
- Monitoring: Monitor logs for suspicious activity
- Firewall: Restrict access to admin interfaces
- Backup: Regular backups of configuration
- Proxy Mode Limitations: Some advanced web applications may not work perfectly through the proxy
- Direct Mode: Real URLs are exposed in Direct Mode (by design)
- Email Security: Security depends on email system security
- Session Management: Admin sessions use simple session storage
We follow responsible disclosure:
- Day 0: Vulnerability reported
- Day 1: Acknowledgment sent
- Day 3: Initial assessment completed
- Day 7: Fix developed (for critical issues)
- Day 14: Fix released and disclosure coordinated
- Day 30: Public disclosure (if safe)
Security updates will be:
- Released as patch versions (e.g., 1.0.1)
- Announced in release notes
- Documented in CHANGELOG.md
- Posted on GitHub Security Advisories
Thank you for helping keep Domäjner secure!