• Never commit access_token or secret to version control
• Use environment variables or config files with proper file permissions (chmod 600)
• Rotate credentials immediately if exposed

chmod 600 ~/.dingtalk/config.toml

When using private DingTalk deployment, ensure:

• Use HTTPS only
• Verify domain ownership
• Avoid untrusted or public domains

The tool passes user input directly to DingTalk API. Ensure:

• Validate message content before sending
• Sanitize mobile numbers in --atMobiles
• Be cautious with user-provided URLs in Link/ActionCard messages

If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Email to: [your-email@example.com]
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact

• Accepted: Fix will be released in next patch version, credit given (unless anonymity requested)
• Declined: Explanation provided, may suggest workarounds

1. Least Privilege: Grant only necessary permissions to DingTalk robot
2. Network Security: Run in trusted network environments
3. Logging: Enable debug mode (-D) only for troubleshooting, disable in production
4. Dependencies: Regularly update dependencies with go mod tidy