We actively support the latest version of BrandKit with security updates.
| Version | Supported |
|---|---|
| latest | ✅ |
| < 2.0 | ❌ |
BrandKit includes comprehensive security measures:
- CSRF Protection: Cross-Site Request Forgery protection via Flask-WTF
- Rate Limiting: Protection against abuse (200 requests/day, 50 requests/hour default)
- Content Security Policy (CSP): Protection against XSS and other web vulnerabilities
- Security Headers: Comprehensive HTTP security headers via Flask-Talisman
- Input Validation: Thorough validation of file uploads and user inputs
- Metadata Stripping: Optional removal of EXIF data for privacy
- Memory Safety: Protection against memory exhaustion attacks
- Secure File Handling: Validated file extensions and safe file processing
- Use HTTPS: Always deploy behind a reverse proxy (Nginx, Caddy) with SSL/TLS
- Environment Variables: Use environment variables for sensitive configuration
- Update Dependencies: Regularly update Python packages:
pip install -r requirements.txt --upgrade - Container Security: Keep Docker images updated
- Access Control: Implement authentication for production deployments (e.g., Cloudflare Access)
- File Size Limits: Configure appropriate upload limits via
BRANDKIT_MAX_UPLOAD_MB - Network Isolation: Use Docker networks or firewalls to restrict access
We take security seriously. If you discover a security vulnerability, please follow these steps:
- DO NOT open a public GitHub issue for security vulnerabilities
- Email the maintainer directly at: [email protected]
- Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
- Your contact information
- Acknowledgment: Within 48 hours of your report
- Initial Assessment: Within 5 business days
- Progress Updates: Every 7 days until resolved
- Resolution: We aim to fix critical vulnerabilities within 30 days
- Credit: We'll acknowledge your contribution (unless you prefer to remain anonymous)
- We will confirm receipt of your vulnerability report
- We will investigate and assess the severity
- We will develop and test a fix
- We will release a security update
- We will publicly disclose the vulnerability (with your consent on timing)
- Critical: Remote code execution, authentication bypass
- High: Data exposure, privilege escalation
- Medium: XSS, CSRF (not covered by existing protections)
- Low: Information disclosure, minor issues
- Always use the latest version
- Enable all security features
- Use strong, unique secrets for
FLASK_SECRET_KEY - Implement proper access controls
- Monitor logs for suspicious activity
- Use container security scanning
- Restrict network access to necessary ports only
- Never commit secrets or credentials to version control
- Use
.envfiles for local configuration (add to.gitignore) - Keep dependencies updated
- Review code changes for security implications
- Test security features before deploying
- Only upload images from trusted sources
- Be aware that uploaded images may contain metadata
- Use the metadata stripping option for privacy-sensitive content
- Implement additional access controls if needed for your use case
- The application is designed for internal/trusted use cases
- For public-facing deployments, additional authentication is strongly recommended
- File uploads are not virus-scanned (implement separately if needed)
- Processing user-uploaded images carries inherent risks
Security updates will be released as needed and announced via:
- GitHub Security Advisories
- Repository README
- CHANGELOG.md
Subscribe to repository notifications to stay informed.
- We follow responsible disclosure practices
- We will coordinate with reporters on disclosure timing
- We aim for public disclosure within 90 days of a fix
- We will credit security researchers (with permission)
For security concerns: [email protected]
For general issues: GitHub Issues
Thank you for helping keep BrandKit secure!