PixelForge is actively maintained from the repository's master branch. Security fixes are generally applied to the latest version; older commits, forks, or private deployments may not receive separate patches.
Report suspected vulnerabilities privately instead of opening a public issue with exploit details.
Include:
- A clear description
- Reproduction steps
- Affected component, route, page, or file
- Potential impact
- Relevant screenshots, logs, or proof-of-concept details
- A suggested fix, when available
Avoid public disclosure until the issue has been reviewed and addressed.
Examples include:
- Authentication or authorization bypass
- Unsafe upload or file-type validation bypass
- Signed URL exposure or misuse
- Secret, token, or credential leakage
- Cloudflare Turnstile bypass in production
- Missing production Turnstile configuration being accepted
- Proxy/IP trust issues or spoofable forwarded headers
- Rate-limit or usage-limit bypass
- Path traversal, unsafe filenames, SSRF, or XSS
- Exposure of uploaded images, result URLs, logs, or environment values
General bugs without security impact, UI layout issues, missing documentation, dependency suggestions without a known vulnerability, and local-only misconfiguration can be reported through regular GitHub issues.
PixelForge uses:
- Fresh Cloudflare Turnstile verification for every AI job initialization and feedback submission
- Production fail-closed behavior when the Turnstile secret is missing
- A development-only manual bypass that must be explicitly enabled
- SlowAPI endpoint rate limits and per-feature rolling usage limits
- Fail-closed client-IP resolution: forwarded headers are ignored unless proxy trust is enabled and the direct proxy belongs to an explicit CIDR
- Signed, short-lived Azure Blob URLs for upload and result access
- File validation for type, byte size, resolution, and image structure
- Safe generated filenames and controlled temporary-storage cleanup
- Backend-only provider credentials and cloud secrets
The application-level Cloudflare check does not firewall the origin. Deployments requiring Cloudflare-only access must also restrict direct origin traffic at the network or hosting layer.
Current daily usage identity is IP-based. Users behind the same NAT, carrier network, or managed reverse proxy may share a quota; this is a documented limitation rather than an authentication guarantee.
Never commit:
.envfiles- API or provider tokens
- Database URLs
- Azure connection strings
- Cloudflare secrets
- Discord webhook URLs
- Private keys
- Generated logs containing sensitive data or signed URLs
- User-uploaded private images
Use .env.example for names and safe placeholders only. Rotate any secret immediately if exposed.
After a report is received:
- The maintainer reviews and reproduces the issue.
- Impact and affected versions are assessed.
- A focused fix and verification steps are prepared.
- The fix is merged or released.
- Public disclosure may occur after users have had a reasonable opportunity to update.
Act in good faith and do not access, modify, or delete data that does not belong to you.
Thank you for helping keep PixelForge safe.