Skip to main content

Security Overview

BugPin is a self-hosted bug reporting tool built with security-first defaults. Because all data is stored on your own server, its security posture is entirely under your control. This page describes the security measures built into BugPin, including API key protection, session management, input validation, and security headers.

Built-in Security Measures

API Key Protection

  • Hashed Storage: API keys are stored as SHA256 hashes in the database. The full key is only displayed once when a project is created or when the key is regenerated.
  • Prefix Display: After creation, only the key prefix (first 12 characters) is visible in the admin interface for identification purposes.
  • Header-Only Authentication: API keys must be sent via the x-api-key HTTP header. Query parameter authentication is not supported.

Session Security

  • Secure Cookies: Session cookies are configured with:
    • httpOnly: Prevents JavaScript access to cookies
    • secure: Requires HTTPS in production (when HTTPS enforcement is enabled)
    • sameSite: lax: Protects against CSRF attacks
  • Configurable Duration: Session lifetime can be configured (default: 7 days)
  • Automatic Expiration: Sessions are automatically invalidated after the configured duration

Password Security

  • bcrypt Hashing: All user passwords are hashed using bcrypt with a high cost factor
  • No Password Recovery: Passwords cannot be recovered, only reset by administrators

Rate Limiting

  • Configurable Limits: Rate limiting can be configured per-minute per IP address
  • Widget Protection: The widget submission endpoint is rate-limited to prevent abuse
  • Header-Based Tracking: Rate limiting works correctly behind reverse proxies using x-forwarded-for headers

CORS Protection

  • Origin Validation: CORS is configured to only allow requests from authorized origins
  • Credentials Support: Cookie-based authentication works securely across origins
  • Domain Whitelisting: Projects can be configured to only accept reports from specific domains

Input Validation

  • Schema Validation: All API inputs are validated using Zod schemas
  • SQL Injection Prevention: All database queries use parameterized statements
  • XSS Prevention: User-generated content is sanitized before display

Security Headers

BugPin automatically sets the following security headers:

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • X-XSS-Protection: 1; mode=block
  • Referrer-Policy: strict-origin-when-cross-origin
  • Strict-Transport-Security (when HTTPS enforcement is enabled)

Data Storage

  • Local Storage: All data is stored locally on your server
  • No External Services: BugPin does not send data to external services (unless you configure integrations)
  • File Storage: Screenshots and attachments are stored in the local filesystem
  1. Use a TLS-Terminating Reverse Proxy: Always run BugPin behind a reverse proxy (nginx, Caddy, Traefik) that handles HTTPS
  2. Enable HTTPS Enforcement: Once your proxy is configured, enable HTTPS enforcement in settings
  3. Keep Software Updated: Regularly update BugPin to get security patches
  4. Use Strong Passwords: Require strong passwords for all admin accounts
  5. Limit Admin Access: Only grant admin access to users who need it
  6. Configure Domain Whitelisting: Restrict which domains can submit bug reports
  7. Monitor Logs: Regularly review server logs for suspicious activity

Reporting Security Issues

If you discover a security vulnerability in BugPin, please report it responsibly by contacting the maintainers directly. Do not create public issues for security vulnerabilities.

We use cookies for analytics to improve our website. More information in our Privacy Policy.