| Version | Supported |
|---|---|
| 3.x | Yes |
| 2.x | No |
| 1.x | No |
Micro-interaction Lab implements 6 layers of defense-in-depth:
- Sensitive Path Blocking - Source code and config files return 404
- Security Response Headers - CSP, HSTS, X-Frame-Options, etc.
- Rate Limiting - 120 requests per 60-second window per IP
- Bot Detection - User-Agent filtering for known scrapers
- Content-Type Enforcement - Validates POST/PUT/PATCH Content-Type
- Honeypot Traps - Common attack paths silently blocked
Plus client-side protections: right-click blocking, keyboard shortcut interception, DevTools detection, console/DOM watermarking.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them by:
- Opening a private security advisory on this repository
- Or emailing details to the project maintainer
- Type of issue (e.g., buffer overflow, SQL injection, XSS)
- Full paths of source file(s) related to the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue and how an attacker might exploit it
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Resolution: Depends on severity, typically within 2 weeks for critical issues
When contributing to this project:
- Never commit secrets, API keys, or tokens
- Always use parameterized queries for any database operations
- Validate and sanitize all user inputs
- Follow the existing security middleware chain
- Test changes against the security test suite
- Do not disable or weaken any existing security measures
When a security issue is confirmed and fixed, we will:
- Patch the vulnerability in the latest supported version
- Release a new version with the fix
- Publish a security advisory on GitHub
- Credit the reporter (unless they prefer to remain anonymous)
Thank you for helping keep Micro-interaction Lab and its users safe!