-
Notifications
You must be signed in to change notification settings - Fork 0
Security Notes
This page describes the current security posture of mdedit.io. It is not an external audit or formal certification.
The session secret is set via the COOKIE_SECRET environment variable. If not provided, a random secret is generated at startup with a warning. Always set an explicit secret in production:
openssl rand -hex 32
# Add to .env: COOKIE_SECRET=<generated value>100 requests per minute per IP via @fastify/rate-limit. Localhost is whitelisted for development.
@fastify/helmet is active with a strict Content-Security-Policy.
Cookies use the secure flag in NODE_ENV=production (HTTPS-only).
- Maximum 1 MB per Markdown document (HTTP 413 if exceeded)
- Title truncated to 100 characters
Documents are private by default. Only explicitly shared documents are publicly accessible via UUID permalink. The share toggle is exposed via:
POST /api/pastes/:id/share
Temporary files from PDF export are cleaned up in a try/finally block — guaranteed even on errors.
See docs/operations/SECURITY.md in the repository for a full status breakdown including open P2/P3 items.
Please report security issues via the issue tracker or directly to the maintainer.