PixelForge is actively maintained from the main branch of the repository.
Security fixes are generally applied to the latest version of the project. Older commits, forks, or private deployments may not receive separate security patches.
If you believe you found a security vulnerability in PixelForge, please report it privately instead of opening a public issue.
Please include:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Affected component, route, page, or file
- Potential impact
- Any relevant screenshots, logs, or proof-of-concept details
- Suggested fix, if you have one
Please avoid sharing exploit details publicly until the issue has been reviewed and addressed.
Please report issues such as:
- Authentication or authorization bypass
- Unsafe file upload behavior
- File type spoofing bypass
- Signed URL exposure or misuse
- Secret, token, or credential leakage
- Cloudflare Turnstile bypass in production
- Proxy/IP trust issues
- Rate-limit or usage-limit bypass
- Path traversal or unsafe filename handling
- Server-side request forgery
- Cross-site scripting
- Data exposure involving uploaded images, result URLs, logs, or environment variables
The following usually do not require a private security report:
- General bugs without security impact
- UI layout issues
- Missing documentation
- Dependency update suggestions without a known vulnerability
- Local development misconfiguration that does not affect production
These can be reported through regular GitHub issues.
PixelForge uses several security measures:
- Cloudflare Turnstile verification before AI job initialization
- Rate limiting for API endpoints
- Per-feature usage limits
- Signed Azure Blob URLs for upload and result access
- File validation for type, size, and image structure
- Safe generated filenames
- Temporary storage lifecycle and cleanup
- Backend-only provider tokens and cloud credentials
- Environment validation for sensitive runtime settings
Do not commit:
.envfiles- API tokens
- Database URLs
- Azure connection strings
- Replicate tokens
- Cloudflare secrets
- Discord webhook URLs
- Private keys
- Generated logs containing sensitive data
Use example files such as .env.example when documenting required variables.
After a vulnerability is reported:
- The maintainer will review the report.
- The issue will be reproduced and assessed.
- A fix will be prepared when needed.
- The fix will be released or merged.
- Public disclosure can happen after users have had a reasonable chance to update.
Please act in good faith and avoid accessing, modifying, or deleting data that does not belong to you.
Thank you for helping keep PixelForge safe.