Open Search MCP takes security seriously. This document outlines our security practices, vulnerability reporting process, and security guidelines for users and contributors.
DO NOT create public GitHub issues for security vulnerabilities.
Instead, please report security vulnerabilities by:
- Email: Send details to [[email protected]] (replace with actual email)
- GitHub Security Advisory: Use GitHub's private vulnerability reporting feature
- Encrypted Communication: Use PGP key [KEY_ID] for sensitive reports
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if available)
- Your contact information
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 72 hours
- Status Updates: Weekly until resolved
- Resolution: Target 30 days for critical issues
- Environment Variables: All API keys must be stored in environment variables
- No Hardcoding: Never hardcode API keys in source code
- Rotation: Regularly rotate API keys
- Monitoring: Monitor API key usage for suspicious activity
- Schema Validation: All inputs are validated against strict schemas
- Sanitization: User inputs are sanitized to prevent injection attacks
- Rate Limiting: API calls are rate-limited to prevent abuse
- Size Limits: Request payloads have size limitations
- Non-root User: Containers run as non-root user (UID 1000)
- Read-only Filesystem: Containers use read-only filesystems where possible
- No New Privileges: Security option
no-new-privileges:trueis enabled - Minimal Attack Surface: Only necessary ports are exposed
- Restricted Networks: Docker networks use specific subnets
- Internal Communication: Services communicate over internal networks
- TLS Encryption: All external communications use TLS
- CORS Protection: Strict CORS policies are enforced
Required security-related environment variables:
# Session and JWT secrets (generate with: openssl rand -hex 32)
SESSION_SECRET=your_very_long_random_session_secret_here
JWT_SECRET=your_jwt_secret_key_here
ENCRYPTION_KEY=your_encryption_key_here
# Docker deployment secrets
SEARXNG_SECRET=your_very_long_searx_secret_key_here
GRAFANA_PASSWORD=your_secure_grafana_password_here
REDIS_PASSWORD=your_redis_password_here
# CORS and security headers
CORS_ORIGINS=https://yourdomain.com
CSP_ENABLED=trueApply these security configurations to all containers:
security_opt:
- no-new-privileges:true
user: "1000:1000"
read_only: true
tmpfs:
- /tmp:noexec,nosuid,size=100m- All API keys are stored in environment variables
- Default passwords have been changed
- Security headers are configured
- CORS origins are restricted
- Rate limiting is enabled
- Logging is configured securely
- Container security options are applied
- Network access is restricted
- TLS certificates are valid
- Dependency vulnerabilities are scanned
- API keys are rotated quarterly
- Dependencies are updated monthly
- Security logs are reviewed weekly
- Access permissions are audited monthly
- Backup encryption keys are tested
- Incident response plan is updated
- Never commit API keys to version control
- Don't use default passwords in production
- Avoid running containers as root
- Don't disable security features for convenience
- Never log sensitive data (API keys, passwords, tokens)
- Don't ignore security warnings from dependencies
- Avoid overly permissive CORS settings
Security-relevant events that are logged:
- Authentication attempts
- API key usage
- Rate limit violations
- Input validation failures
- Container security events
- Network access attempts
Set up alerts for:
- Multiple failed authentication attempts
- Unusual API usage patterns
- Container security violations
- High error rates
- Suspicious network activity
- Dependency Scanning:
npm audit, Snyk, or GitHub Dependabot - Container Scanning: Docker Scout, Trivy, or Clair
- Static Analysis: ESLint security plugins, SonarQube
- Runtime Protection: Falco for container runtime security
- Secret Scanning: GitLeaks, TruffleHog
Regular security testing should include:
- Dependency vulnerability scans
- Container image scans
- Static code analysis
- Input validation testing
- Authentication testing
- Authorization testing
- OWASP Security Training
- Container Security Training
- API Security Best Practices
This security policy is reviewed and updated:
- Quarterly: Regular review and updates
- After Incidents: Updates based on lessons learned
- Technology Changes: Updates when adopting new technologies
For security-related questions or concerns:
- Security Team: [email protected]
- General Contact: [email protected]
- Emergency: Use GitHub Security Advisory for urgent issues
Last Updated: [Current Date] Version: 1.0 Next Review: [Date + 3 months]