Skip to content

Security: Buronn/cotabs

Security

SECURITY.md

Security Policy

Status

Cotabs is an active work-in-progress, self-hostable application. It is not hardened for hostile multi-tenant production use. Run it behind your own auth perimeter and review the configuration below before exposing it publicly.

Reporting a vulnerability

Please report security issues privately — do not open a public issue.

Include reproduction steps and the affected component (backend / frontend / infra). Expect an initial acknowledgement within a few days; this is a hobby project, so fixes are best-effort.

Deployment hardening checklist

  • Set a real JWT_SECRET (≥ 32 random chars). The committed .env.example ships a placeholder — never deploy with it.
  • Set a real POSTGRES_PASSWORD. The dev compose.yml uses devpassword; override it in production.
  • Keep the WebSocket origin check on. CheckOrigin enforces same-origin — do not relax it without a reason.
  • Terminate TLS at your proxy (Nginx / NPM). The app speaks plain HTTP/WS internally and expects a TLS-terminating front.
  • Do not commit secrets. .env, *.pem, and the SoundFont binaries are gitignored — keep them that way.

Scope notes

  • Auth is JWT (HS256) in a query param for WS + bearer for REST; tokens are validated and membership is checked per song (song_members).
  • Passwords are bcrypt-hashed. Minimum length is enforced server-side.
  • There is no automated test or security-scan suite yet.

There aren't any published security advisories