| Version | Supported |
|---|---|
| 1.0.x | โ Active support |
If you discover a security vulnerability in MemoryHub, please report it responsibly.
- DO NOT open a public GitHub issue for security vulnerabilities
- Email: security@memoryhub.dev (or create a private security advisory on GitHub)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- 24 hours: Initial acknowledgment
- 72 hours: Preliminary assessment
- 7 days: Fix or mitigation plan
- 30 days: Public disclosure (coordinated)
MemoryHub includes several security features:
- API key-based authentication for all memory operations
- Keys are hashed (SHA-256) before storage
- Keys shown only once at creation time
- Revocation support for compromised keys
- Automatic detection of API keys, passwords, tokens, private keys
- Detection patterns for AWS keys, OpenAI keys, SSH keys, database URLs
- Optional auto-redaction before storage
- Configurable via
MEMORYHUB_ENABLE_SENSITIVE_DETECTION
- Agents can only access memories in their own namespace
- No cross-namespace data leakage
- Separate API keys per agent
- SQLite WAL mode for crash safety
- Configurable token expiration
- No sensitive data in logs by default
- Default SQLite storage is single-machine only
- API keys use SHA-256 (not bcrypt) for performance; use strong keys
- CORS allows all origins by default in development
- Embeddings model downloads from Hugging Face on first run
- Always set a strong secret key:
MEMORYHUB_SECRET_KEY=$(openssl rand -hex 32) - Use HTTPS in production (reverse proxy with TLS)
- Restrict CORS to your domains only
- Regular backups of the database file
- Monitor API usage for unusual patterns
- Use PostgreSQL for production multi-instance deployments
- Keep dependencies updated:
pip install --upgrade memoryhub