DeltaForge stores all credentials in a .env file that is excluded from version control via .gitignore. Credentials are never logged, committed, or exposed through the dashboard API.
Never commit:
.envfiles containing real credentials- API keys, tokens, or passwords in source code
- Database files containing trade data
The dashboard binds to 127.0.0.1 (localhost only) by default. If you need remote access:
- Set
DASHBOARD_API_TOKENin.envto require authentication for mutating endpoints. - Set
DASHBOARD_CORS_ORIGINSto restrict allowed origins. - Use a reverse proxy (e.g., nginx) with TLS for production deployments.
If you discover a security vulnerability, please report it responsibly:
- Do not open a public GitHub issue.
- Email the maintainers with a description of the vulnerability.
- Include steps to reproduce if possible.
- Allow reasonable time for a fix before public disclosure.
We will acknowledge receipt within 48 hours and aim to release a fix within 7 days for critical issues.
| Version | Supported |
|---|---|
| 2.x | Yes |
| < 2.0 | No |