| Version | Supported |
|---|---|
| 3.x | ✅ Active |
| 2.x | |
| 1.x | ❌ No longer supported |
Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability, please send an email to refkinscallv@gmail.com with:
- Subject:
[SECURITY] Brief description - Description: What is the vulnerability and where is it located?
- Impact: What could an attacker do with this vulnerability?
- Steps to reproduce: Minimal steps to trigger the issue
- Suggested fix: If you have a proposed solution
You can expect:
- Acknowledgement within 48 hours
- Status update within 7 days
- Fix or mitigation within 30 days for critical issues
We appreciate responsible disclosure and will credit you in the release notes if you wish.
When deploying Node Framework in production:
- Set
NODE_ENV=production - Use strong, unique values for
JWT_SECRETandJWT_REFRESH_SECRET(runnpm run setup) - Enable HTTPS:
SERVER_HTTPS=true - Restrict CORS origin in
app/config.js— never use*in production - Enable rate limiting:
RATE_LIMIT_ENABLED=true - Never commit
.envfiles to version control - Use strong database passwords
- Keep dependencies up to date (
npm audit)