Please do not open a public issue for security vulnerabilities.
Report privately via GitHub's "Report a vulnerability" (Security → Advisories) on this repository, or email the maintainer. Include:
- a description and impact of the issue,
- steps to reproduce (PoC if possible),
- affected version/commit and configuration.
We aim to acknowledge reports within a few days and will coordinate a fix and disclosure timeline with you.
Errora is pre-1.0; security fixes target the main branch. Pin to a tagged
commit for deployments and update regularly.
- Set
DEBUG=0in production. The app refuses to boot without a realSECRET_KEYandSECRETS_ENCRYPTION_KEY, and then enforces secure cookies + HSTS + HTTPS redirect. - Set
ALLOWED_HOSTSto your real hostnames (the app rejects*whenDEBUG=0). - Outbound integration URLs (webhooks, AI/GitLab
base_url) are SSRF-guarded (loopback/link-local/metadata blocked). On multi-tenant deployments also setSSRF_BLOCK_PRIVATE=1and add a network egress policy on the worker. - Keep
INGEST_MAX_DECOMPRESSED_BYTESandINGEST_RATE_LIMIT_PER_MINat sane values for your traffic.
See the Pre-publication hardening checklist in the README for the current status of known items.