| Version | Supported |
|---|---|
| 1.x.x | β Yes |
| < 1.0 | β No |
We take security seriously at SplitX. If you discover a security vulnerability, please report it responsibly.
- DO NOT open a public issue
- Email: Send details to the maintainer via GitHub
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours
- Assessment within 1 week
- Fix timeline communicated after assessment
- Credit given in release notes (unless you prefer anonymity)
| Layer | Protection |
|---|---|
| Authentication | JWT tokens with configurable expiry |
| Passwords | bcrypt hashing with salt rounds |
| HTTP Headers | Helmet.js security headers |
| Rate Limiting | 300 requests per 15 minutes per IP |
| CORS | Configurable origin restrictions |
| Input Validation | Server-side validation on all endpoints |
| File Uploads | Type checking, size limits (5 files max) |
- Set a strong
JWT_SECRET(32+ characters, random) - Use HTTPS in production
- Set
NODE_ENV=production - Configure CORS to allow only your frontend domain
- Regularly update dependencies (
npm audit) - Keep
ADMIN_TOKENsecret and rotate periodically
We appreciate security researchers who help keep SplitX safe:
Be the first to report a vulnerability and get listed here!