| Version | Supported |
|---|---|
| Latest | ✅ |
If you discover a security vulnerability in Echo Mock Server, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email: security@example.com
⚠️ Replace the email above with your actual security contact before publishing.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: within 48 hours
- Initial assessment: within 7 days
- Fix release: depends on severity, typically within 30 days
When deploying Echo Mock Server in production:
- Change default credentials — Replace the default
admin/adminpassword viaECHO_ADMIN_PASSWORDenvironment variable - Set a unique Remember Me key — Override
ECHO_REMEMBER_ME_KEYwith a random secret - Disable H2 Console — Set
spring.h2.console.enabled=falsein production - Use HTTPS — Deploy behind a reverse proxy (e.g., Nginx) with TLS termination
- Restrict network access — Echo is designed for internal/testing environments; do not expose to the public internet without proper access controls