| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability in AppSecOne, please report it responsibly:
- Do not open a public GitHub issue
- Email the maintainers at security@polprog.pl with details
- Include steps to reproduce the issue
- Allow reasonable time for a fix before public disclosure
We aim to acknowledge reports within 48 hours and provide a fix or mitigation within 7 days for critical issues.
AppSecOne follows security-by-default principles with a six-layer middleware stack:
| Layer | Middleware | Purpose |
|---|---|---|
| 1 | SecurityHeadersMiddleware | CSP with per-request nonce, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy |
| 2 | RequestLoggingMiddleware | Correlation IDs for audit trails, structured request/response logging |
| 3 | RateLimitMiddleware | Per-IP fixed-window: 120 req/min general, 5 req/min for admin endpoints |
| 4 | CORSMiddleware | Configurable origins via APPSECONE_CORS_ORIGINS |
| 5 | CSRFMiddleware | Origin/Referer validation on all state-changing requests |
| 6 | APIKeyMiddleware | Optional HMAC-verified API key for admin endpoints |
- No secrets in code — all credentials loaded from environment variables
- No Fortify tokens in the browser — backend proxies all Fortify API calls
- CSP-enforced script safety — all inline scripts require per-request nonce; no
unsafe-inline - No inline event handlers — all JavaScript uses
addEventListenerfor CSP compatibility - CSRF protection — Origin/Referer validation on POST/PUT/DELETE/PATCH
- Timing-safe auth —
hmac.compare_digest()for API key comparison - Safe error messages — no stack traces or internal details exposed to clients
- Rate limiting — prevents brute-force and DoS on admin endpoints
We monitor dependencies for known vulnerabilities:
python3 -m pip install pip-audit
pip-audit