Tensies is a hobby project, maintained in spare time. There's no security team and no support contract, but I do care about it and I'll look into anything you report. The notes below are about setting honest expectations.
Tensies is continuously deployed from main. There's no release train to pin
to: the running service is always built from the latest commit, and any fix
lands there and ships with the next deploy. Older commits and forks don't get
backported fixes.
| Version | Supported |
|---|---|
main (latest) |
✅ |
| Anything older | ❌ |
| Forks / self-hosted | ❌ |
If you self-host, run the latest main. Older checkouts may be missing the
abuse caps, origin allowlist, and security headers, and I can't support those.
Please don't open a public GitHub issue for security problems. A public report tips off attackers before there's a fix. Report it privately instead:
- GitHub Security Advisories (preferred): the Security tab → Report a vulnerability.
- Email: barkeep@tensies.app, with a subject starting with
[Tensies Security].
It helps a lot if you can include what's affected (say, the /ws handler, an
HTTP route, the Redis game store), how to reproduce it, and what the impact is.
This is a side project, so please be patient. I read reports when I can, not on a clock:
- I'll try to acknowledge your report within a week or so.
- If I can reproduce it and agree it's a real issue, I'll fix it on
mainand deploy. How fast depends on how bad it is and how much free time I have. - If I don't think it's a vulnerability, I'll tell you why. Often it's behaviour controlled by a documented config knob (see below).
- I'm happy to credit you in the fix or advisory unless you'd rather stay anonymous.
Please give me a reasonable chance to ship a fix before disclosing publicly.
Some of the hardening in Tensies is configuration-driven, so what you see on a given deployment may be the operator's choice rather than a bug:
- WS origin enforcement (
ALLOWED_ORIGINS), message-size and connection caps (MAX_WS_MESSAGE_BYTES,MAX_CONNECTIONS_PER_IP), create/join rate limits. - Bearer-gating on
/metricsand/stats(METRICS_TOKEN/STATS_TOKEN). - Security headers (CSP and HSTS) in
server/security.py. - Proxy /
X-Forwarded-Fortrust (TRUST_PROXY_HEADERS,TRUSTED_PROXY_HOPS).
A way to bypass one of those when it's correctly configured, or an unsafe default out of the box, is exactly the kind of thing worth reporting.