If you discover a security vulnerability in EFData, please DO NOT create a public GitHub issue.
Instead, please send details to: kieran@bicheno.me
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
I'll respond within 48 hours and work on a fix immediately.
EFData implements several security measures:
- No hardcoded credentials - All sensitive data in environment variables
- Database connections - Use SSL where configured
- API authentication - JWT tokens for production deployments
- Input validation - All user inputs sanitized
- Dependency scanning - Regular updates via GitHub Dependabot
- The application requires database credentials with write access
- Exchange rate API keys should be kept confidential
- Production deployments should use HTTPS
- Database backups may contain sensitive economic data
- Change all default passwords
- Use strong PostgreSQL passwords
- Enable SSL for database connections
- Set up firewall rules for database access
- Use HTTPS for API endpoints
- Rotate API keys regularly
- Monitor access logs