Security

docs/SECURITY.md

Security Policy

Supported versions

Security fixes are applied to the latest version in the default branch.

Reporting a vulnerability

Please do not open public issues for security vulnerabilities.

Report privately to the maintainer with:

A clear description of the issue
Steps to reproduce
Impact assessment
Any suggested fix

You can expect:

Acknowledgement within 72 hours
Ongoing status updates
Credit in release notes (if desired) after the fix is published

Security controls in this project

Request body size limits (MAX_BODY_BYTES)
Per-client rate limiting for POST /shorten
URL scheme validation (http/https)
Request timeouts
Graceful shutdown and dependency cleanup

There aren’t any published security advisories