We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
We take security seriously. If you discover a security vulnerability, please follow these steps:
- DO NOT create a public GitHub issue
- Email security details to: security@yourproject.com (replace with actual email)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours
- Status update within 7 days
- Fix timeline based on severity
- Credit in release notes (if desired)
- Use the encrypted storage option for ListenBrainz tokens
- Never share your API tokens
- Use session-only storage for temporary use
- Clear stored data when using shared computers
# Production
VITE_ENCRYPTION_KEY=<strong-random-32-character-key>Generate a strong key:
openssl rand -base64 32- Keep your browser updated
- Use HTTPS when deploying
- Enable Content Security Policy headers
- Review browser permissions
The provided Docker configuration includes:
- Non-root user execution
- Read-only filesystem
- Security options enabled
- Health checks
- Minimal attack surface
- AES-256 Encryption: API tokens encrypted in storage
- DOMPurify: Sanitizes user-generated content
- CSP Headers: Content Security Policy protection
- No eval(): No dynamic code execution
- HTTPS Recommended: Secure data transmission
- All processing happens client-side
- No data sent to our servers
- Optional in-memory mode
- Clear data functionality
- No tracking or analytics
- Rate limiting on all external API calls
- Retry with exponential backoff
- Error handling without exposing internals
- CORS headers properly configured
- Regular dependency updates via Dependabot
- Automated vulnerability scanning
- No known high-severity vulnerabilities
Run security audit:
npm auditFix vulnerabilities:
npm audit fixNever commit .env files to version control:
.env
.env.local
.env.productionWhen deploying, always use HTTPS:
server {
listen 443 ssl http2;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
}The included nginx.conf has CSP headers. Customize as needed:
Content-Security-Policy: default-src 'self'; script-src 'self'; ...
- Browser localStorage/IndexedDB can be accessed by browser extensions
- Client-side encryption key stored in environment variable
- Rate limiting depends on API provider headers
- CORS restrictions may limit some API calls
- No hardcoded secrets or API keys
- User input sanitized with DOMPurify
- No use of eval() or Function() constructors
- Dependencies up to date
- No SQL injection risks (all client-side)
- XSS protection implemented
- CSRF not applicable (no backend)
- Error messages don't expose internals
- Secure random number generation where needed
This application connects to:
- ListenBrainz API: Public API for music listening data
- MusicBrainz API: Public API for music metadata
- Labs API: ListenBrainz experimental APIs
These are read-only operations. Review their terms of service:
- GDPR: No personal data collected by this application
- Data Retention: User controls all data storage
- Right to Erasure: Clear data button provided
- Data Portability: Users can export their data
Security updates will be released as:
- Patch versions for minor security fixes
- Minor versions for moderate security improvements
- Major versions for significant security changes
Subscribe to releases for notifications.
We thank security researchers who responsibly disclose vulnerabilities.
For security concerns: security@yourproject.com (replace with actual contact)
For general questions: Use GitHub Issues