| Version | Supported |
|---|---|
| 2.2.x | ✅ Active support |
| 2.1.x | |
| < 2.0 | ❌ No longer supported |
We take security seriously. If you discover a vulnerability in Memora, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities.
- Email your findings to the maintainer with the subject line:
[SECURITY] Memora Vulnerability Report - Include the following details:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
- Acknowledgment: Within 48 hours of your report
- Assessment: We will evaluate the severity within 5 business days
- Resolution: Critical vulnerabilities will be patched within 7 days
- Disclosure: We will coordinate responsible disclosure with you
Memora implements the following security controls:
- PBKDF2-SHA256 password hashing with 100,000 iterations and random salt
- HMAC-SHA256 JWT tokens with configurable expiry (24h default)
- Per-endpoint authentication via FastAPI dependency injection
- Rate limiting: Sliding window counter (60 req/min per IP)
- Input validation: Pydantic field constraints with max lengths and regex patterns
- CORS: Restricted to explicitly allowed origins
- Security headers: X-Content-Type-Options, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy
- SQLite database excluded from version control via
.gitignore - Environment secrets loaded from
.env(never committed) - No PII logged in application logs
⚠️ JWT Secret: The defaultSECRET_KEYinapp/auth.pyis a placeholder.
You MUST change it before deploying to production. Use a cryptographically random value:import secrets print(secrets.token_hex(32))
⚠️ SQLite: Not recommended for production multi-user deployments.
Consider PostgreSQL or MySQL for concurrent access patterns.
We monitor dependencies for known vulnerabilities. Run pip audit to check:
pip install pip-audit
pip-audit -r requirements.txt