redge is pre-release software. Security fixes target the current main branch until versioned releases are established.
Please do not open public issues for suspected vulnerabilities.
Report security issues through GitHub private vulnerability reporting for this repository when available, or contact the repository owner directly. Include:
- affected component
- reproduction steps
- expected impact
- relevant logs or request samples with secrets removed
Never commit production credentials, node API keys, database passwords, session keys, or encryption keys. compose.yaml does not use .env files, and secret values must be injected from the shell before startup.
Set at least:
POSTGRES_PASSWORDDATABASE_URLNODE_SECRET_ENC_KEYBOOTSTRAP_ADMIN_EMAILBOOTSTRAP_ADMIN_PASSWORD
Keep NODE_SECRET_ENC_KEY stable for an existing database because stored node API keys are encrypted with it.
For production deployments, set:
REDGE_ENV=productionSESSION_COOKIE_SECURE=true
Production mode rejects disabled CSRF, insecure cookies, missing required secrets, and overly long session TTL values.