If you discover a security vulnerability in ATAuth, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, please send an email describing the vulnerability to the maintainers. Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
| Version | Supported |
|---|---|
| 2.x | Yes |
| 1.x | Security fixes only |
| < 1.0 | No |
When using ATAuth:
- Always use HTTPS in production environments
- Keep HMAC secrets secure - never commit them to version control
- Enable rate limiting to prevent brute force attacks
- Verify tokens server-side - client-side decoding is for display only
- Rotate secrets periodically - especially if compromise is suspected
- Keep dependencies updated - regularly update all packages
- Token verification uses constant-time comparison to prevent timing attacks
- Session tokens should be transmitted over secure channels only
- The gateway should be deployed behind a reverse proxy with TLS termination