Please do not open a public GitHub issue for security vulnerabilities.

To report a security issue, open a GitHub Security Advisory (private disclosure).

Please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce or a proof-of-concept
• Affected versions
• Any suggested fix, if you have one

• Acknowledgement within 48 hours
• Assessment and triage within 5 business days
• Fix and advisory published after a patch is ready

This policy covers the code in this repository. For security issues related to the core logic, please check the awesome-node-auth Security Policy.

• Never commit secrets (like JWT_SECRET or ADMIN_SECRET) to source control.
• Use the .env.example file as a template for your local environment.
• Always keep the awesome-node-auth dependency updated.