If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Email security@devsper.com with:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact assessment
3. You will receive an acknowledgment within 48 hours
4. We aim to release a fix within 7 days for critical issues

The registry supports three authentication methods:

JWT algorithm pinning: JWKS verification is pinned to RS256 and ES256 only, preventing algorithm confusion attacks.

API key security: Keys are hashed with SHA-256 before storage. Comparison uses crypto/subtle.ConstantTimeCompare to prevent timing attacks.

• Scope-based: API keys carry explicit scopes (read, publish, admin)
• JWT sessions bypass scope checks (full access assumed for authenticated web users)
• API key expiry is enforced at middleware level after database lookup

CORS is restricted to an explicit origin allowlist derived from BASE_URL, FRONTEND_URL, HOMEPAGE_URL, and optional CORS_ALLOWED_ORIGINS configuration. Credentials are only sent for matching origins.

The device flow store is capped at 10,000 pending requests to prevent memory exhaustion.

• Server-side encryption: S3 PutObject uses AES-256 server-side encryption in production (disabled for MinIO/LocalStack in development)
• Presigned URL TTL: Download URLs expire after 15 minutes
• Upload timeout: S3 uploads have a 30-second context deadline

• HSTS with preload directive (max-age 2 years)
• X-Frame-Options: DENY
• X-Content-Type-Options: nosniff
• Permissions-Policy restricts camera, microphone, geolocation, payment
• Content-Security-Policy with strict connect-src
• Server header removed
• /internal/* endpoints blocked from external access

1. Verification pipeline (verify.go): Currently a stub — no automated package verification is performed. Packages are marked "passed" immediately on upload.

2. User code entropy (device flow): The 4-letter + 4-digit user code has ~29 bits of entropy with non-uniform distribution. Acceptable per RFC 8628 but could be improved.

3. Docker Compose sslmode=disable: The production Docker Compose uses sslmode=disable for the PostgreSQL connection. This is acceptable for container-to-container networking on the same Docker bridge, but should NOT be used if the database is on a separate host.

4. OAuth secrets in .env: The working tree contains real GitHub and Google OAuth client secrets in registry/.env. While gitignored, these should be rotated if the repository is ever made public or the secrets are compromised.