Reporting a Vulnerability If you discover a security vulnerability, please report it responsibly:
DO NOT create a public GitHub issueEmail the maintainer directly: mrconsoleka.work@gmail.com
Include detailed steps to reproduce
Allow reasonable time for a fix before public disclosure
Telegram Mini Apps Authentication
Feature
Status
Description
HMAC-SHA256 Validation
✅
Validates initData signature
Replay Attack Protection
✅
1 hour token expiration
CORS Restrictions
✅
Only Telegram domains allowed
Rate Limiting
✅
100 requests/minute per IP
Feature
Status
Description
SQL Injection Protection
✅
SQLAlchemy ORM with parameterized queries
XSS Protection
✅
React auto-escaping + CSP headers
Security Headers
✅
X-Frame-Options, CSP, etc. via nginx
Feature
Status
Description
Non-root Container
✅
App runs as unprivileged user
Secrets Management
✅
Environment variables, not in code
Health Checks
✅
Docker health checks for all services
Best Practices for Deployment
Always use HTTPS in productionRotate bot tokens periodicallyKeep dependencies updated - run npm audit and pip-audit regularlyMonitor logs for suspicious activityUse strong passwords for database and Redis