CRUDAdmin is currently in pre-1.0.0 development. During this phase, only the latest version receives security updates and patches.
| Version | Supported |
|---|---|
| Latest Release | ✅ |
| Older Versions | ❌ |
We strongly recommend always using the latest version of CRUDAdmin to ensure you have all security fixes and improvements.
We take the security of CRUDAdmin seriously. If you believe you have found a security vulnerability, please report it to us as described below.
-
Do Not disclose the vulnerability publicly until it has been addressed by our team
-
Submit the vulnerability report through one of these channels:
- Email: [email protected]
- GitHub Security Advisory: https://github.com/igorbenav/crudadmin/security/advisories/new
Please provide detailed information about the vulnerability, including:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if available)
- Your contact information for follow-up questions
- Initial Response: Within 48 hours
- Status Update: Within 1 week
- Fix Timeline: Based on severity
- Critical: Within 7 days
- High: Within 14 days
- Medium: Within 30 days
- Low: Within 60 days
- Acknowledgment: You will receive an acknowledgment of your report within 48 hours
- Investigation: Our team will investigate the issue and determine its impact
- Updates: You will receive updates on the status of your report
- Resolution: Once resolved, you will be notified of the fix
- Public Disclosure: Coordinated disclosure after the fix is released
CRUDAdmin provides robust authentication and session management. When using CRUDAdmin, ensure:
- Use strong session backends (Redis recommended for production)
- Configure appropriate session timeouts and limits
- Enable secure cookies and HTTPS enforcement
- Implement proper password policies
- Monitor and audit admin user activities
CRUDAdmin includes built-in access control features. When configuring access:
- Define allowed IP addresses and networks
- Implement proper authorization checks
- Use HTTPS for all admin communications
- Configure rate limiting for login attempts
- Monitor and log access attempts
- Never expose sensitive data in error messages
- Implement proper logging practices
- Use HTTPS for all admin communications
- Follow data protection regulations (GDPR, CCPA, etc.)
- Implement proper data encryption at rest
- Always use the latest supported version
- Use Redis or Memcached for session management in production
- Enable HTTPS enforcement and secure cookies
- Regularly update dependencies
- Follow the principle of least privilege
- Implement proper error handling
- Use secure configuration management
- Regular security audits and testing
CRUDAdmin includes several security features:
- Multi-Backend Session Management: Memory, Redis, Memcached, Database, and Hybrid backends
- Built-in Security: CSRF protection, rate limiting, IP restrictions, HTTPS enforcement
- Session Security: Automatic expiration, concurrent session limits, device tracking
- Access Control: IP-based restrictions, network-based access control
- Event Tracking: Comprehensive audit trails for all admin actions
While CRUDAdmin implements security best practices, it's crucial to properly secure your application as a whole. This includes:
- Proper session backend configuration
- Secure environment variable management
- Monitoring and logging
- Proper database security
- Network security measures
- Regular security updates and audits
Stay informed about security updates:
- Watch the GitHub repository
- Follow our security announcements
- Subscribe to our security mailing list
- Monitor our release notes
This security policy is part of the CRUDAdmin project and is subject to the same license terms.