If you discover a security vulnerability in Extracto, please report it by:

1. DO NOT open a public issue
2. Email the maintainer directly (see GitHub profile)
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

We will respond within 48 hours and work on a fix as soon as possible.

When using Extracto:

• API Keys: Never commit API keys to version control
• Environment Variables: Use .env files (already in .gitignore)
• Input Validation: Validate URLs before extraction
• Rate Limiting: Implement rate limiting in production
• CORS: Configure CORS properly in the API
• Dependencies: Keep dependencies updated

• Browser Automation: Playwright runs headless browsers - ensure proper sandboxing in production
• LLM Costs: Implement rate limiting to prevent API cost abuse
• User Input: Always validate and sanitize URLs from user input
• API Keys: Store securely using environment variables or secret management systems

Thank you for helping keep Extracto secure! 🔒