Skip to content

Security Notes

GitHub Copilot edited this page May 12, 2026 · 1 revision

Security Notes

This page describes the current security posture of mdedit.io. It is not an external audit or formal certification.

Implemented Measures

Cookie Secret

The session secret is set via the COOKIE_SECRET environment variable. If not provided, a random secret is generated at startup with a warning. Always set an explicit secret in production:

openssl rand -hex 32
# Add to .env: COOKIE_SECRET=<generated value>

Rate Limiting

100 requests per minute per IP via @fastify/rate-limit. Localhost is whitelisted for development.

Security Headers

@fastify/helmet is active with a strict Content-Security-Policy.

Secure Cookies

Cookies use the secure flag in NODE_ENV=production (HTTPS-only).

Input Validation

  • Maximum 1 MB per Markdown document (HTTP 413 if exceeded)
  • Title truncated to 100 characters

Permalink Privacy

Documents are private by default. Only explicitly shared documents are publicly accessible via UUID permalink. The share toggle is exposed via:

POST /api/pastes/:id/share

Temp File Cleanup

Temporary files from PDF export are cleaned up in a try/finally block — guaranteed even on errors.

Remaining Hardening Areas

See docs/operations/SECURITY.md in the repository for a full status breakdown including open P2/P3 items.

Reporting Security Issues

Please report security issues via the issue tracker or directly to the maintainer.

See Also

Clone this wiki locally