Skip to content
Goiabada

Security

Security is a top priority for Goiabada. This page covers security practices and how to report vulnerabilities.

Reporting vulnerabilities

Section titled “Reporting vulnerabilities”

If you discover a security issue, please report it via email to [email protected].

Security assessment

Section titled “Security assessment”

We’re very thankful to Adrean Boyadzhiev from Lambda Bit, who provided a security assessment and consultancy for Goiabada. Adrean’s work focused on an earlier version (0.0.3), and while much has changed since, his insights were invaluable.

If you’re looking for a security expert, we recommend reaching out to Adrean.

Security features

Section titled “Security features”

Goiabada includes several built-in security features:

Authentication security

Section titled “Authentication security”
  • PKCE support - Configurable PKCE enforcement at global and per-client levels, protecting against code interception attacks. PKCE is required by default (OAuth 2.1 recommendation).
  • Two-factor authentication - Optional or mandatory 2FA using TOTP
  • Rate limiting - Configurable rate limiting on sensitive endpoints (login, OTP verification, password reset)
  • Session management - Configurable session timeouts with idle and absolute expiration

Token security

Section titled “Token security”
  • Short-lived access tokens - Default 5-minute expiration to limit exposure
  • Refresh token rotation - Each refresh token can only be used once
  • Signed JWTs - All tokens are cryptographically signed
Section titled “Cookie security”
  • Secure flag - Cookies marked as secure in production (HTTPS only)
  • HttpOnly flag - Cookies not accessible via JavaScript
  • SameSite attribute - Protection against CSRF attacks

Network security

Section titled “Network security”
  • CORS configuration - Explicit web origin configuration required for JavaScript clients
  • Proxy header trust - Must be explicitly enabled to prevent IP spoofing