| Version | Supported |
|---|---|
| 1.x.x | ✅ Active support |
If you discover a security vulnerability, please report it responsibly:
- Do NOT create a public GitHub issue
- Email: Send details to the project maintainer
- Include: Description, steps to reproduce, potential impact
We will respond within 48 hours and aim to release a fix within 7 days for critical issues.
- Never commit LinkedIn credentials to source control
- Use environment variables for all secrets
- Cookie-based auth tokens should be rotated regularly
- OAuth tokens have automatic expiration
- The server does not store any LinkedIn data persistently
- All caching is in-memory and ephemeral
- Log output redacts sensitive tokens and cookies
- No data is sent to any third-party service
- HTTP transport supports CORS with configurable origins
- All LinkedIn API calls use HTTPS
- Rate limiting prevents abuse
- Request timeouts prevent hanging connections
- Production Docker image runs as non-root user
- Minimal base image (Alpine) reduces attack surface
- No unnecessary packages installed
- Use OAuth authentication when possible (official, TOS-compliant)
- Set strict rate limits to avoid LinkedIn account restrictions
- Run in Docker or remote mode to isolate from your local environment
- Regularly rotate session cookies if using cookie-based auth
- Review logs for any unexpected authentication failures