Spaces:
Sleeping
Sleeping
A newer version of the Gradio SDK is available: 6.20.0
Security
Supported Scope
This project is early-stage unless stated otherwise. Security expectations still apply to local development, tests, documentation, and deployment scripts.
Secret Handling
- Do not commit
.envfiles containing real values. - Use
.env.exampleto document required variables. - Never commit tokens, private keys, passwords, session cookies, or production credentials.
- Redact secrets from logs, screenshots, issues, and documentation.
Security-Sensitive Areas
Treat these changes as requiring extra review:
- Authentication and authorization.
- Database queries and migrations.
- File upload, parsing, or path handling.
- Shell command execution.
- External webhooks or callbacks.
- Dependency additions or upgrades.
- CI/CD, deployment, and infrastructure configuration.
Dependency Standard
Before adding a dependency, consider:
- Is it necessary?
- Is it actively maintained?
- Is the license acceptable?
- Does it meaningfully increase attack surface?
Reporting Issues
For private projects, report security issues directly to the repository owner. For public projects, replace this section with a private contact method or GitHub Security Advisory instructions.
Pre-Release Checklist
- No secrets are committed.
- Environment variables are documented in
.env.example. - Relevant tests pass.
- Authentication and authorization flows have been reviewed.
- Logs avoid sensitive data.
- Dependencies are reviewed for obvious risk.