Please report vulnerabilities privately via GitHub private vulnerability reporting — do not open a public issue for security problems.
You can expect an acknowledgement within a few days. This is a personal project, so there's no formal SLA, but security reports get priority over everything else.
Only the latest release (and main) receive security fixes.
Shelf is designed to run on a private home network, but it's hardened as if it weren't:
- Strict Content-Security-Policy — no
unsafe-inline, nounsafe-eval, no CDNs (all assets vendored) - CSRF protection on all mutating requests
- bcrypt password hashing; JWT sessions in HTTP-only, secure cookies
- Role-based access control (admin / editor / viewer)
- Third-party API credentials encrypted at rest (key kept outside the DB, so database backups contain ciphertext only) and write-only in the UI
- Optional passphrase-encrypted (AES) backup downloads
- HTTPS by default (self-signed certs generated on first run)
- Container runs as a non-root user
If you're exposing Shelf beyond your LAN, put it behind a reverse proxy with
a real certificate and set SHELF_TRUST_PROXY=1.