Security Policy

Last Updated: 8 December 2025

Our Commitment

We take the security of Pixelflare seriously. This policy outlines our security practices and how to report vulnerabilities responsibly.

Reporting Security Vulnerabilities

How to Report

If you discover a security vulnerability in Pixelflare, please report it responsibly:

Preferred Method: GitHub Security Advisories

Alternative: Email the project maintainer using the contact information in the repository

What to Include

Please provide:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Suggested fix (if you have one)
• Your contact information for follow-up

What NOT to Report

Please do not report:

• General bugs (use GitHub Issues instead)
• Feature requests
• Configuration questions
• Issues with third-party dependencies that we don't control
• Social engineering or phishing attempts

Response Timeline

We aim to:

• Acknowledge receipt within 48 hours
• Provide an initial assessment within 7 days
• Keep you updated on progress
• Credit you in the security advisory (if desired)

Responsible Disclosure

We ask that you:

• Give us reasonable time to fix the vulnerability before public disclosure
• Do not exploit the vulnerability beyond what's necessary to demonstrate it
• Do not access, modify, or delete other users' data
• Do not perform DoS attacks or compromise service availability
• Coordinate public disclosure timing with us

Security Features

Pixelflare implements multiple security layers:

Authentication & Authorization

• GitHub OAuth via Cloudflare Access
• API key authentication for programmatic access
• Per-user data isolation
• Session management with secure cookies

Network Security

• HTTPS enforcement for all connections
• Cloudflare DDoS protection
• Web Application Firewall (WAF) integration
• Content Security Policy (CSP) headers
• Security response headers (HSTS, X-Frame-Options, etc.)

Bot Protection

• Cloudflare Turnstile integration
• Rate limiting on API endpoints
• Configurable usage quotas per user

Data Protection

• Input validation and sanitization
• SQL injection prevention via Drizzle ORM
• XSS protection via framework defaults
• CSRF protection
• Secure token generation

Monitoring & Audit

• Comprehensive audit logging
• API access tracking
• User action logging
• Failed authentication monitoring

Security Best Practices for Operators

If you deploy your own Pixelflare instance:

Secrets Management

• Never commit secrets to version control
• Use Wrangler secrets for production credentials
• Rotate API keys regularly
• Use strong, unique passwords

# Add secrets to .gitignore
echo ".env*" >> .gitignore

# Set production secrets via Wrangler
wrangler secret put SECRET_NAME

Access Control

• Configure Cloudflare Access policies carefully
• Limit allowed email domains if possible
• Review access policies regularly
• Monitor audit logs for suspicious activity

Infrastructure Security

• Keep dependencies up to date
• Enable Cloudflare WAF rules
• Configure appropriate rate limits
• Use Cloudflare's security features (Bot Fight Mode, DDoS protection)
• Enable DNSSEC on your domains

Data Security

• Enable S3 backup sync for disaster recovery
• Test backup restoration procedures
• Consider encryption for sensitive images
• Implement data retention policies

Monitoring

• Review audit logs regularly
• Monitor usage patterns for anomalies
• Set up alerts for security events
• Track failed authentication attempts

Known Limitations

Pixelflare has some security limitations:

• Very limited built-in content moderation (operator's responsibility)
• Relies on Cloudflare for DDoS protection
• No professional security audit conducted

Security Updates

How We Handle Security Issues

When a security vulnerability is reported:

1. We assess severity and impact
2. We develop and test a fix
3. We release a patch as quickly as safely possible
4. We publish a security advisory on GitHub
5. We update the changelog with security notes

Staying Informed

To stay informed about security updates:

• Watch the GitHub repository for security advisories
• Subscribe to release notifications
• Follow the changelog for security-related updates
• Check the discussions for security announcements

Compliance

Operator Responsibilities

If you operate a Pixelflare instance, you are responsible for:

• Complying with applicable data protection laws (GDPR, CCPA, etc.)
• Implementing appropriate security controls for your use case
• Maintaining security certifications if required
• Conducting security audits as needed
• Responding to user security concerns

Data Protection

Pixelflare provides tools to help with compliance but does not guarantee it:

• User data isolation
• Audit logging capabilities
• Data deletion features
• Data export capabilities

See our Privacy Policy for data handling details.

Security Resources

For Developers

• OWASP Top 10
• Cloudflare Security Center
• GitHub Security Advisories

For Operators

• Cloudflare Access Documentation
• Cloudflare WAF Documentation
• Security Headers Best Practices

Scope

This security policy applies to:

• The Pixelflare codebase (https://github.com/lissy93/pixelflare)
• Official deployments operated by Alicia Sykes
• Security vulnerabilities in the software itself

This policy does not cover:

• Self-hosted instances operated by others
• Third-party integrations or dependencies
• Social engineering attacks
• Physical security
• Infrastructure security (Cloudflare's responsibility)

Recognition

We appreciate security researchers who help improve Pixelflare's security. With your permission, we will:

• Credit you in security advisories
• Acknowledge your contribution in release notes
• List you in a security acknowledgments file (if multiple reports)

Questions

For security-related questions that are not vulnerabilities:

• GitHub Discussions
• GitHub Issues (for non-sensitive topics)

Thank you for helping keep Pixelflare secure.