Cotabs is an active work-in-progress, self-hostable application. It is not hardened for hostile multi-tenant production use. Run it behind your own auth perimeter and review the configuration below before exposing it publicly.
Please report security issues privately — do not open a public issue.
- Preferred: open a GitHub private security advisory.
- Or email the maintainer (see the GitHub profile at https://github.com/Buronn).
Include reproduction steps and the affected component (backend / frontend / infra). Expect an initial acknowledgement within a few days; this is a hobby project, so fixes are best-effort.
- Set a real
JWT_SECRET(≥ 32 random chars). The committed.env.exampleships a placeholder — never deploy with it. - Set a real
POSTGRES_PASSWORD. The devcompose.ymlusesdevpassword; override it in production. - Keep the WebSocket origin check on.
CheckOriginenforces same-origin — do not relax it without a reason. - Terminate TLS at your proxy (Nginx / NPM). The app speaks plain HTTP/WS internally and expects a TLS-terminating front.
- Do not commit secrets.
.env,*.pem, and the SoundFont binaries are gitignored — keep them that way.
- Auth is JWT (HS256) in a query param for WS + bearer for REST; tokens are
validated and membership is checked per song (
song_members). - Passwords are bcrypt-hashed. Minimum length is enforced server-side.
- There is no automated test or security-scan suite yet.