Please do not open a public GitHub issue for vulnerabilities. Instead, use GitHub's private reporting:
- Go to https://github.com/FlavioCFOliveira/echoip/security/advisories/new
- Describe the issue, the affected version, and a reproducer if possible.
- We aim to acknowledge within 72 hours and to publish a fix or mitigation as soon as the impact and remediation are understood.
If GitHub Security Advisories is not an option, email the maintainer at the address shown on the GitHub profile.
Only the latest commit on main is supported. Tagged releases will be added once the project ships its first release pipeline (see roadmap).
- Strict timeouts on the HTTP server defeat slow-read attacks.
- Every IP candidate is validated through
net/netipbefore responding. - Responses set
X-Content-Type-Options: nosniff. - The
Serverresponse header is intentionally omitted. govulncheckruns in CI on every change againstvuln.go.dev.- The default trust model ignores
X-Real-IP/X-Forwarded-ForunlessECHOIP_TRUSTED_PROXIESis set, preventing spoofing in direct-exposure deployments.