OhMyCaptcha is currently maintained from the main branch. Security fixes will be applied there first.
Please do not open public GitHub issues for sensitive security reports.
Instead:
- Prepare a minimal reproduction or impact description.
- Include the affected version, deployment mode, and whether the issue requires authentication.
- Send the report privately through GitHub Security Advisories if available for the repository, or contact the maintainer through a private channel.
Please include as much of the following as possible:
- affected endpoint or component
- reproduction steps
- expected vs actual behavior
- logs or screenshots with secrets removed
- whether the issue is exploitable remotely or only in a local/self-hosted setup
This repository is designed for public use. Do not include any of the following in issues, pull requests, screenshots, or sample files:
- API keys
- access tokens
- cookies
- private model endpoints
- customer URLs
- personally identifying data
If you deploy OhMyCaptcha publicly:
- store secrets in environment variables or your hosting platform's secret manager
- avoid committing
.envfiles - rotate keys if they were ever exposed in logs or history
- consider placing the service behind your own authentication, rate limiting, and monitoring layers