If you discover a security vulnerability in Chirp, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, please email: lbeezr@icloud.com
You will receive an acknowledgment within 48 hours and a detailed response within 5 business days.
| Version | Supported |
|---|---|
| 0.3.x | Yes |
| 0.2.x | Yes |
| < 0.2 | No |
Chirp includes built-in security features:
- CSRF protection via
CSRFMiddleware(enabled by default with sessions) - Security headers via
SecurityHeadersMiddleware(X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP) - Allowed hosts validation via
AllowedHostsMiddleware - HSTS auto-enabled in production with TLS
- CSP nonces for inline script protection
- Signed cookie sessions via
itsdangerous - Security audit via
chirp security-check
- Always set a strong
secret_keyin production - Configure
allowed_hostsexplicitly (do not use"*") - Enable HSTS when serving over TLS
- Use
chirp security-checkin your CI pipeline