| Version | Supported |
|---|---|
| 2.x | ✅ Active support |
| 1.x | |
| < 1.0 | ❌ No support |
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them responsibly via one of:
- GitHub Security Advisories: Create a private advisory
- Email: security@apiwatch.dev (if available)
- Type of vulnerability (XSS, SQL injection, SSRF, auth bypass, etc.)
- Full path to the affected source file(s)
- Step-by-step instructions to reproduce
- Proof-of-concept or exploit code (if possible)
- Impact assessment
| Step | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 1 week |
| Fix development | Within 2 weeks |
| Public disclosure | After fix is released |
- We will acknowledge your report promptly
- We will keep you informed of progress
- We will credit you in the security advisory (unless you prefer anonymity)
- We will not take legal action against good-faith security researchers
When deploying API-Watch:
- Set
JWT_SECRET_KEY— Use a strong, unique secret (≥64 characters) - Use HTTPS in production — Never expose the API over plain HTTP
- Restrict CORS — Set
CORS_ALLOWED_ORIGINSto your specific domain - Database credentials — Use strong passwords, never commit to git
- AI API keys — Store in environment variables, never in source code
- Rate limiting — Keep rate limiting enabled in production
- Network isolation — Use Docker networks to isolate services
- Regular updates — Enable Dependabot and apply security patches promptly
- SSRF protection on request execution (URL validation)
- SQL injection prevention (SQLAlchemy parameterized queries)
- XSS prevention (React auto-escaping)
- Rate limiting on authentication endpoints
- Non-root Docker container
- Secret scanning in pre-commit hooks