This document outlines the security policy for Pico HTTP Server, including how to report vulnerabilities and what to expect.
| Version | Supported |
|---|---|
| Latest | ✅ |
| < 1.0 | ❌ |
Pico HTTP Server is a minimal HTTP server designed for development, learning, and prototyping. While we've addressed many security issues, it should NOT be used in production environments without thorough security review and hardening.
✅ Path traversal attack prevention ✅ Buffer overflow protection ✅ Format string vulnerability fixes ✅ NULL pointer dereference protection ✅ Input validation for HTTP requests ✅ Graceful shutdown handling
If you discover a security vulnerability, please report it by:
- Opening a GitHub Issue with the label "security"
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Response Time: We aim to respond within 48-72 hours
- Updates: You'll receive updates on the status of your report
- Fix Timeline: Varies by severity
- Critical: Immediate attention
- High: Within 1 week
- Medium: Within 2-4 weeks
- Low: Next release
- We request you allow us time to fix the issue before public disclosure
- Suggested timeline: 90 days from initial report
- We'll credit you in the security advisory unless you prefer to remain anonymous
If you choose to use Pico HTTP Server, follow these guidelines:
- Network Isolation: Run only on localhost or isolated networks
- Firewall: Use firewall rules to restrict access
- Regular Updates: Keep the codebase updated
- Code Review: Review any custom code for security issues
- Production web servers
- Internet-facing applications
- Applications handling sensitive data
- High-traffic websites
- Applications requiring authentication
Consider these additional measures:
- Reverse Proxy: Put behind nginx or Apache with security hardening
- HTTPS Termination: Use reverse proxy for TLS/SSL
- Authentication: Implement at reverse proxy level
- Rate Limiting: Implement at firewall/proxy level
- Monitoring: Set up intrusion detection
- Sandboxing: Run in a container or VM with limited privileges
- Updates: Monitor for security updates
- Audit: Conduct professional security audit
We test with:
- Valgrind: Memory leak detection
- GCC/Clang sanitizers: Address, undefined behavior detection
- Manual review: Code auditing
- Siege: Load testing
Contributors should test with:
# Compile with sanitizers
gcc -fsanitize=address,undefined -g -o server main.c httpd.c
# Memory leak check
valgrind --leak-check=full ./server 8000
# Load testing
siege -c 100 -r 10 http://localhost:8000/For urgent security issues, please use GitHub Issues with "security" label.
-
Path Traversal (Critical)
- Status: Fixed
- Description: Could access files outside public directory
- Fix: Added path validation with
is_path_safe()
-
Buffer Overflow (High)
- Status: Fixed
- Description: Writing past buffer when
rcvd == BUF_SIZE - Fix: Added bounds checking
-
Format String (High)
- Status: Fixed
- Description: Payload could contain format specifiers
- Fix: Use
fwrite()instead ofprintf()with user data
-
NULL Pointer Dereference (Medium)
- Status: Fixed
- Description:
strtok()results used without checking - Fix: Added NULL checks throughout parsing
-
Race Condition (Medium)
- Status: Fixed
- Description: Parent closing socket while child using it
- Fix: Only child closes client socket
-
Memory Leak (Low)
- Status: Fixed
- Description: Shared memory not freed on shutdown
- Fix: Added cleanup handler with
munmap()
We appreciate responsible disclosure from security researchers. Contributors will be acknowledged in:
- CHANGELOG.md
- Security advisories
- Project credits (unless you prefer anonymity)
This security policy is licensed under CC0 1.0 Universal.