Email security@forkzero.com with a description of the vulnerability. We will respond within 48 hours.
Do not open a public GitHub issue for security vulnerabilities.
| Version | Supported |
|---|---|
| 0.x | Yes |
- IETF BFF pattern (draft-ietf-oauth-browser-based-apps-26 §6.1)
- AES-256-GCM session encryption with random IV per encryption
__Host-cookie prefix (httpOnly, Secure, SameSite=Lax, Path=/, no Domain)- PKCE (S256) on all authorization code flows
- No tokens in browser-accessible storage
- Pluggable
SessionCryptofor KMS/Vault/HSM backends