We support security updates for the following versions:
Version | Supported |
---|---|
3.x.x | ✅ Active support |
2.x.x | |
< 2.0 | ❌ No longer supported |
We take security seriously. If you discover a security vulnerability, please follow these steps:
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please:
- Email us privately at [[email protected]] with details
- Include "SECURITY" in the subject line
- Provide a detailed description of the vulnerability
- Include steps to reproduce (if applicable)
- Suggest a fix (if you have one)
Please include the following information:
- Description of the vulnerability
- Impact assessment (who is affected, how severe)
- Steps to reproduce the vulnerability
- Proof of concept code (if applicable)
- Suggested fix or mitigation
- Your contact information for follow-up
We will acknowledge your report within 48 hours and provide a detailed response within 7 days indicating:
- Confirmation of the vulnerability
- Our planned timeline for a fix
- Any immediate workarounds or mitigations
When contributing to this project, please consider:
- Never commit API keys, tokens, or secrets
- Use environment variables for sensitive configuration
- Review
.env.example
for required variables - Ensure
.env
files are in.gitignore
- All user inputs must be validated with Zod schemas
- Sanitize data before database operations
- Validate webhook signatures (especially Stripe)
- Use parameterized queries for database operations
- Properly validate PocketBase authentication tokens
- Implement proper error handling without exposing sensitive info
- Use secure defaults for all configuration options
- Follow principle of least privilege
- Verify SSL/TLS for all external API calls
- Implement proper timeout and retry logic
- Handle rate limiting appropriately
- Store credentials securely
- SQL Injection: Use PocketBase's built-in query builders
- XSS: Sanitize any user-generated content
- CSRF: Validate webhook signatures and tokens
- Information Disclosure: Don't log sensitive data
- Insecure Dependencies: Keep dependencies updated
# Use strong, unique values
POCKETBASE_ADMIN_PASSWORD=use-a-strong-password
STRIPE_SECRET_KEY=sk_test_... # Use test keys for development
STRIPE_WEBHOOK_SECRET=whsec_... # Required for webhook security
# Restrict access
POCKETBASE_URL=http://localhost:8090 # Don't expose publicly without auth
- Use strong admin passwords
- Enable HTTPS in production
- Configure proper CORS settings
- Regularly backup your database
- Keep PocketBase updated
- Use environment-specific API keys
- Validate all webhook signatures
- Never expose secret keys in client-side code
- Monitor for suspicious activity
- Use Stripe's test mode for development
- Use app-specific passwords for SMTP
- Configure SPF, DKIM, and DMARC records
- Validate email addresses before sending
- Implement rate limiting for email sending
- Monitor for bounce rates and spam reports
- MCP servers have access to sensitive operations
- Ensure proper authentication between client and server
- Validate all tool parameters thoroughly
- Limit access to production environments
- Stripe: Webhook endpoints should validate signatures
- Email: SMTP credentials should be stored securely
- PocketBase: Admin tokens should be protected
- External APIs: Rate limiting and timeout handling
We recommend monitoring for:
- Failed authentication attempts
- Unusual API usage patterns
- Webhook signature validation failures
- Database access anomalies
- Email sending volume spikes
- Security patches will be released as soon as possible
- Critical vulnerabilities will be disclosed after fixes are available
- Users will be notified via GitHub releases and security advisories
- Changelogs will clearly mark security-related changes
We appreciate security researchers who help improve our project:
- Responsible disclosure will be acknowledged in release notes
- Severe vulnerabilities may be eligible for recognition
- We welcome collaboration on security improvements
- Security Email: [[email protected]]
- General Issues: GitHub Issues (for non-security bugs)
- Discussions: GitHub Discussions
Thank you for helping keep Advanced PocketBase MCP Server secure! 🔒