The following versions of Articles are currently supported with security updates:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
Note: This is an early-stage project. Security updates will be provided for the latest 0.1.x release. Once the project reaches 1.0, we will maintain security support for the current major version and one previous major version.
Articles implements the following security measures:
- ASP.NET Core Identity - User authentication and password management
- Per-user data isolation - Users can only access their own data
- Authorization checks - All handlers verify user ownership
- Secure password storage - Passwords are hashed using Identity's default algorithms
- NoSQL injection protection - MongoDB .NET Driver's use of BSON and strongly typed models
- XSS protection - Blazor's automatic HTML encoding
- CSRF protection - Built-in anti-forgery tokens
- HTTPS enforcement - Recommended for production deployments
- Input validation - All commands and queries validate user input
- Error handling - Sensitive information not exposed in error messages
- User isolation - Database queries filtered by UserId
- Connection string security - Stored in secure configuration (e.g., User Secrets, Azure Key Vault)
If you discover a security vulnerability in Articles, please report it responsibly:
Email: matthew.paulosky@outlook.com
Subject: [SECURITY] Articles Vulnerability Report
Please do NOT open a public GitHub issue for security vulnerabilities.
When reporting a security vulnerability, please include:
- Description - Clear description of the vulnerability
- Impact - Potential security impact and severity
- Steps to Reproduce - Detailed steps to reproduce the vulnerability
- Affected Versions - Which versions are affected
- Suggested Fix - If you have ideas for mitigation (optional)
- Your Contact Info - How we can reach you for follow-up
- Initial Response: Within 48 hours of report submission
- Status Update: Within 7 days with assessment and timeline
- Fix Timeline:
- Critical vulnerabilities: Within 7 days
- High severity: Within 14 days
- Medium/Low severity: Within 30 days
- We will work with you to understand and validate the vulnerability
- We will develop and test a fix before public disclosure
- We will credit you in the security advisory (unless you prefer anonymity)
- We request that you do not publicly disclose the vulnerability until we have released a fix
Security updates will be published:
- In the GitHub Security Advisories
- In the project CHANGELOG.md (if one exists)
- In release notes for security-related releases
When contributing to Articles, please follow these security guidelines:
- All code changes require review before merging
- Security-sensitive changes require additional scrutiny
- Never commit secrets, API keys, or passwords
- Add security-focused tests for authorization checks
- Test boundary conditions and edge cases
- Verify user isolation in integration tests
- Keep NuGet packages up to date
- Review dependency security advisories
- Use
dotnet list package --vulnerableto check for known vulnerabilities
- Use User Secrets for local development (
dotnet user-secrets) - Use Environment Variables or Key Vault for production
- Never commit sensitive configuration files with secrets
- Add sensitive files to
.gitignore
- Validate all user input
- Sanitize data before rendering in Blazor components (Blazor does this automatically)
- No rate limiting - Consider implementing rate limiting for production
- No audit logging - User actions are not currently logged
- Use HTTPS - Enable HTTPS and HSTS
- Secure connection strings - Use Azure Key Vault or similar
- Enable logging - Add security event logging
- Rate limiting - Implement API rate limiting
- Regular updates - Keep .NET and dependencies updated
- Security headers - Add security headers (CSP, X-Frame-Options, etc.)
- Monitor dependencies - Use GitHub Dependabot for security alerts
Thank you for helping keep Articles secure!