grok-oauth-proxy is designed for localhost, trusted LAN/VPN/tailnet, or private reverse-proxy deployments. It should not be exposed directly to the public internet without authentication, TLS, and a trusted network boundary.

Please use the GitHub Security Advisory form:

https://github.com/yelixir-dev/grok-oauth-proxy/security/advisories/new

If the advisory form is unavailable, email yelixir.dev@gmail.com.

Do not include live OAuth tokens, ~/.hermes/auth.json, browser storage, private hostnames, or real API credentials in public issues, screenshots, logs, or fixtures.

• Keep Hermes OAuth material outside this repository.
• Keep exported xai-oauth.json files temporary and delete them after import.
• Keep token-state files permission-restricted (0o600 for files, 0o700 for directories).
• Use PROXY_API_KEY whenever binding to a non-loopback address.