If you discover a security vulnerability, please report it responsibly.

Do not open a public issue.

Open a private security advisory on GitHub.

You should receive a response within 48 hours. We will work with you to understand and address the issue before any public disclosure.

Blixt is designed with security defaults:

• SQL injection: Prevented at compile time by SQLx parameterized queries
• XSS: Prevented at compile time by Askama auto-escaping
• CSRF: Double-submit cookie middleware enabled by default
• Auth: Deny-by-default route protection via AuthUser extractor
• Passwords: argon2id hashing with secure defaults
• JWT: Algorithm pinned to HS256, none algorithm rejected
• Headers: CSP, HSTS, X-Frame-Options, and more set by default
• Rate limiting: Token bucket per IP on auth endpoints
• Memory safety: Rust prevents buffer overflows and use-after-free

Blixt runs cargo audit on every push, pull request, and weekly schedule. Each advisory that surfaces is evaluated with one of three outcomes:

1. Upgrade available, fix immediately — bump the dependency in the next PR
2. No upgrade path, not exploited in our code — document in .cargo/audit.toml with justification and blocker; re-review on every release
3. No upgrade path, actually exploitable — treat as a critical issue, file a private advisory, release a workaround

All accepted advisories live in .cargo/audit.toml with inline comments explaining why each is accepted and what would unblock removing it. This file is the single source of truth for both local audits and CI.

Both are blocked on upstream major version releases from jsonwebtoken, sqlx-postgres, and related crates that pin the older rand 0.8.x line.