If you discover a security vulnerability in StackForge, please report it responsibly:
- Do not open a public GitHub issue for security vulnerabilities.
- Email the maintainers directly or use GitHub's private vulnerability reporting feature.
- Include a clear description, steps to reproduce, and potential impact.
We aim to acknowledge reports within 48 hours and provide a fix within 7 days for critical issues.
This project implements the following security controls:
- API key authentication via
STACKFORGE_API_KEYenvironment variable - When set, all endpoints (except
/api/runtimeand/healthz) require a valid key - Keys can be passed via
Authorization: Bearer <key>orX-API-Key: <key>headers - Constant-time comparison to prevent timing attacks
- HSTS headers enforced in production (1 year, includeSubDomains, preload)
- Automatic HTTP→HTTPS redirect in production
trust proxyconfigured for reverse proxy deployments
- All request bodies validated with Zod schemas
- Request body size limits: 2MB global, 64KB for generation endpoints
- GitHub token format validation (must match known PAT prefixes)
- Repository name validation against GitHub naming rules
- File path traversal protection for GitHub push operations
- Prototype pollution protection on user-supplied JSON
- General: 100 requests per 15 minutes per IP
- Generation endpoints: 10 requests per 15 minutes per IP
- GitHub push: 5 requests per 15 minutes per IP
- Origins restricted to configured allowlist (
CORS_ALLOWED_ORIGINSenv var) - No wildcard
*origins
- Content-Security-Policy
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Strict-Transport-Security
- X-XSS-Protection
- Referrer-Policy
default-src 'self'script-src 'self'style-src 'self' 'unsafe-inline' https://fonts.googleapis.comfont-src 'self' https://fonts.gstatic.comconnect-src 'self'frame-ancestors 'none'
- In-memory job store: max 200 entries, 1-hour TTL for completed jobs
- Telemetry store: max 200 entries, 1-hour TTL
- Agent cache: max 500 entries, 30-minute TTL
- SSE connections: max 20 per job, 200 total, 30-minute timeout
- ZIP generation: max 500 files, 10MB output limit
- Production errors are sanitized — no stack traces or internal details exposed
- Known safe error patterns are allowlisted for client exposure
- All errors logged with request ID for correlation
- Unique
X-Request-Idassigned to every request - Request IDs propagated to error logs for tracing
- GitHub tokens redacted in all log output
| Variable | Purpose | Required |
|---|---|---|
STACKFORGE_API_KEY |
API authentication key | No (auth disabled if empty) |
CORS_ALLOWED_ORIGINS |
Comma-separated allowed origins | No (defaults to localhost) |
NODE_ENV |
Environment mode (production enables stricter security) |
Recommended |
OPENROUTER_API_KEY_* |
LLM provider keys | Yes (for non-mock mode) |
NVIDIA_API_KEY_* |
Codegen provider keys | Optional |
- Always set
NODE_ENV=productionin production deployments - Set
STACKFORGE_API_KEYto a strong random value - Configure
CORS_ALLOWED_ORIGINSto your actual frontend domain - Use HTTPS — deploy behind a reverse proxy (nginx, Cloudflare, etc.)
- Rotate API keys regularly, especially if they may have been exposed
- Never commit
.envfiles — use secrets management (Vault, AWS SSM, etc.) - Monitor rate limit headers (
RateLimit-*) for abuse detection