Skip to content

Security: melonask/challenge

Security

SECURITY.md

Security Policy

Supported versions

Only the latest released version is supported with security fixes.

Reporting a vulnerability

Please report suspected vulnerabilities privately through GitHub Security Advisories, or by emailing the maintainer listed in the repository.

Do not publish a public issue for a suspected vulnerability until maintainers have had a reasonable opportunity to investigate and release a fix.

Production guidance

  • Always sign challenges with ALTCHA_HMAC_SECRET.
  • Use short expirations, for example 5 to 10 minutes.
  • Store used challenge signatures/nonces server-side and reject replays.
  • Bind challenge metadata to the expected action, for example --data action=register.
  • Never trust challenge fields submitted by the browser unless verify or verify-payload succeeds.

There aren't any published security advisories