We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:
Security vulnerabilities should not be reported through public GitHub issues, discussions, or pull requests.
Send an email to security@parson.dev with:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes (if available)
- Acknowledgment: We'll acknowledge receipt within 24 hours
- Initial Assessment: We'll provide an initial assessment within 72 hours
- Progress Updates: We'll send progress updates every 7 days
- Resolution: We aim to resolve critical vulnerabilities within 30 days
- Private Discussion: We'll work with you to understand and validate the vulnerability
- Fix Development: We'll develop and test a fix
- Coordinated Disclosure: We'll coordinate public disclosure timing with you
- Credit: We'll provide appropriate credit for responsible disclosure (if desired)
- TLS Encryption: Always use TLS in production environments
- Certificate Validation: Ensure proper certificate validation for backend connections
- Network Isolation: Deploy proxy in isolated network segments when possible
- Rate Limiting: Configure appropriate rate limits to prevent abuse
- Header Filtering: Filter sensitive headers before forwarding requests
- Access Logs: Enable comprehensive access logging for security monitoring
- Secrets Management: Use environment variables or secure vaults for sensitive configuration
- Least Privilege: Run proxy with minimal required privileges
- Regular Updates: Keep proxy and dependencies updated
- Resource Limits: Configure appropriate memory and connection limits
- Health Monitoring: Implement health checks and monitoring
- Circuit Breaker: Use circuit breaker patterns to prevent cascade failures
- Request Size Limits: Configurable limits on request body size
- Connection Limits: Maximum concurrent connection limits
- Timeout Protection: Configurable timeouts for all operations
- Header Size Limits: Protection against large header attacks
- Rate Limiting: Token bucket algorithm for request rate limiting
- Request Validation: Input validation and sanitization
- Response Filtering: Configurable response header filtering
- Audit Logging: Comprehensive audit trail with OpenTelemetry
- Security Metrics: Expose security-relevant metrics for monitoring
- Trace Correlation: Full request tracing for security incident investigation
- Alert Integration: Support for security alert integrations
-
Use Container Security:
# Use non-root user USER 1000:1000 # Use distroless base images FROM gcr.io/distroless/base-debian11
-
Network Configuration:
# Limit network exposure server: bindAddress: "127.0.0.1" # Not 0.0.0.0 in production
-
Resource Limits:
# Configure appropriate limits server: maxConnections: 1000 readTimeout: 30s writeTimeout: 30s
-
Environment Variables:
# Use environment variables for secrets export PROXY_TLS_CERT_FILE=/path/to/cert.pem export PROXY_TLS_KEY_FILE=/path/to/key.pem
-
File Permissions:
# Secure configuration files chmod 600 config.yaml chmod 600 /path/to/cert.pem chmod 600 /path/to/key.pem
-
Security Logs:
{ "level": "warn", "msg": "Rate limit exceeded", "client_ip": "192.168.1.100", "trace_id": "abc123" } -
Metrics to Monitor:
- Request rate per client IP
- Error rate by status code
- Response time percentiles
- Connection count trends
We will maintain a history of security vulnerabilities and their fixes:
- CVE-YYYY-XXXXX: [Description] - Fixed in version X.Y.Z
For security-related questions or concerns:
- Security Email: security@parson.dev
- PGP Key: [Link to PGP key if available]
- Response Time: We aim to respond within 24 hours
We thank the security research community for responsible disclosure of vulnerabilities. Contributors who follow our responsible disclosure process will be acknowledged in our security advisories (with their permission).