Skip to content

Security: DynamicEndpoints/advanced-pocketbase-mcp-server

Security

SECURITY.md

Security Policy

Supported Versions

We support security updates for the following versions:

Version Supported
3.x.x ✅ Active support
2.x.x ⚠️ Critical fixes only
< 2.0 ❌ No longer supported

Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability, please follow these steps:

🚨 For Critical Security Issues

DO NOT create a public GitHub issue for security vulnerabilities.

Instead, please:

  1. Email us privately at [[email protected]] with details
  2. Include "SECURITY" in the subject line
  3. Provide a detailed description of the vulnerability
  4. Include steps to reproduce (if applicable)
  5. Suggest a fix (if you have one)

📋 What to Include

Please include the following information:

  • Description of the vulnerability
  • Impact assessment (who is affected, how severe)
  • Steps to reproduce the vulnerability
  • Proof of concept code (if applicable)
  • Suggested fix or mitigation
  • Your contact information for follow-up

⏱️ Response Timeline

We will acknowledge your report within 48 hours and provide a detailed response within 7 days indicating:

  • Confirmation of the vulnerability
  • Our planned timeline for a fix
  • Any immediate workarounds or mitigations

🛡️ Security Considerations for Contributors

When contributing to this project, please consider:

API Keys and Secrets

  • Never commit API keys, tokens, or secrets
  • Use environment variables for sensitive configuration
  • Review .env.example for required variables
  • Ensure .env files are in .gitignore

Input Validation

  • All user inputs must be validated with Zod schemas
  • Sanitize data before database operations
  • Validate webhook signatures (especially Stripe)
  • Use parameterized queries for database operations

Authentication & Authorization

  • Properly validate PocketBase authentication tokens
  • Implement proper error handling without exposing sensitive info
  • Use secure defaults for all configuration options
  • Follow principle of least privilege

Third-Party Services

  • Verify SSL/TLS for all external API calls
  • Implement proper timeout and retry logic
  • Handle rate limiting appropriately
  • Store credentials securely

Common Vulnerabilities to Avoid

  • SQL Injection: Use PocketBase's built-in query builders
  • XSS: Sanitize any user-generated content
  • CSRF: Validate webhook signatures and tokens
  • Information Disclosure: Don't log sensitive data
  • Insecure Dependencies: Keep dependencies updated

🔒 Security Best Practices for Users

Environment Configuration

# Use strong, unique values
POCKETBASE_ADMIN_PASSWORD=use-a-strong-password
STRIPE_SECRET_KEY=sk_test_... # Use test keys for development
STRIPE_WEBHOOK_SECRET=whsec_... # Required for webhook security

# Restrict access
POCKETBASE_URL=http://localhost:8090 # Don't expose publicly without auth

PocketBase Security

  • Use strong admin passwords
  • Enable HTTPS in production
  • Configure proper CORS settings
  • Regularly backup your database
  • Keep PocketBase updated

Stripe Security

  • Use environment-specific API keys
  • Validate all webhook signatures
  • Never expose secret keys in client-side code
  • Monitor for suspicious activity
  • Use Stripe's test mode for development

Email Security

  • Use app-specific passwords for SMTP
  • Configure SPF, DKIM, and DMARC records
  • Validate email addresses before sending
  • Implement rate limiting for email sending
  • Monitor for bounce rates and spam reports

🚨 Known Security Considerations

MCP Protocol

  • MCP servers have access to sensitive operations
  • Ensure proper authentication between client and server
  • Validate all tool parameters thoroughly
  • Limit access to production environments

Service Integrations

  • Stripe: Webhook endpoints should validate signatures
  • Email: SMTP credentials should be stored securely
  • PocketBase: Admin tokens should be protected
  • External APIs: Rate limiting and timeout handling

📊 Security Monitoring

We recommend monitoring for:

  • Failed authentication attempts
  • Unusual API usage patterns
  • Webhook signature validation failures
  • Database access anomalies
  • Email sending volume spikes

🔄 Security Updates

  • Security patches will be released as soon as possible
  • Critical vulnerabilities will be disclosed after fixes are available
  • Users will be notified via GitHub releases and security advisories
  • Changelogs will clearly mark security-related changes

🏆 Security Recognition

We appreciate security researchers who help improve our project:

  • Responsible disclosure will be acknowledged in release notes
  • Severe vulnerabilities may be eligible for recognition
  • We welcome collaboration on security improvements

📞 Contact Information

  • Security Email: [[email protected]]
  • General Issues: GitHub Issues (for non-security bugs)
  • Discussions: GitHub Discussions

🔗 Additional Resources


Thank you for helping keep Advanced PocketBase MCP Server secure! 🔒

There aren’t any published security advisories