Security status of caddy-security?

caddy-security is a great all-in-one solution on offering an authentication portal What’s a bit concerning is that there is a list of open security vulnerabilities for 10 months already that don’t see to get any attention, see this overview issue I submitted: Status of security vulnerabilities? · Issue #349 · greenpau/caddy-security · GitHub

It seems @greenpau is doing all the hard FOSS work as a mostly single maintainer so I can see why it would be quite some work to fix all this. But for a security-focused add-on I’m wondering if it could reasonably be trusted to secure sensitive information.

Are there any users of caddy-security who are able to reflect on the status of these vulnerabilities?

1 Like

Some of those “vulnerabilities” are really just normal bugs. A panic during an HTTP request, for example, won’t bring down the whole server, they’ll just invalidate the malicious or malformed request that caused it.

I’d say that it’s worth using if your company can support its development – like any piece of software that you’d normally pay for. I believe @greenpau accepts sponsorships:

3 Likes