If you discover a security vulnerability in docx, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, email us at: security@yavlabs.com

Include:

• Description of the vulnerability
• Steps to reproduce
• Impact assessment
• Suggested fix (if any)

We will acknowledge your report within 48 hours and provide a timeline for a fix.

When deploying docx:

• Always use HTTPS (TLS) in production — put a TLS-terminating proxy in front of nginx
• Set a strong, unique value for JWT_SECRET — generate with openssl rand -hex 32
• Set SETTINGS_ENC_KEY to a random 32-byte base64 string — generate with openssl rand -base64 32
• Use a dedicated PostgreSQL user with minimal privileges (SELECT/INSERT/UPDATE/DELETE on the docx schema only)
• Keep Docker images and dependencies up to date
• Restrict network access to MinIO, Redis, and PostgreSQL — they must not be accessible from outside the Docker network
• Set MINIO_ROOT_PASSWORD to a strong random value; do not use the default
• Rotate JWT_SECRET periodically — all existing sessions will be invalidated on rotation
• If using Google OAuth, restrict the allowed redirect URI to your production domain
• Review docker compose logs api regularly for authentication anomalies