If you discover a security vulnerability in the MCP Documentation Server, please report it responsibly:

1. Do NOT create a public GitHub issue
2. Email security reports to: security@liquescent.dev
3. Include as much detail as possible about the vulnerability
4. We will acknowledge your report within 48 hours

• Pinned Base Images: Uses node:20.19.4-alpine3.22 with security updates
• Non-root Execution: Runs as user nodejs (UID 1001)
• Minimal Capabilities: Only essential Linux capabilities enabled
• Secret Management: Docker secrets for sensitive configuration
• Network Isolation: Localhost-only binding by default

• SSRF Protection: Blocks requests to private networks
• Input Validation: All inputs sanitized with Zod schemas
• Error Handling: Safe error messages without internal details
• Secure Logging: Sensitive data redacted from logs
• Rate Limiting: Configurable request rate limits

• Path Traversal Protection: Validates all file operations
• Restricted Permissions: Cache files created with 700 permissions
• Directory Validation: Prevents access to system directories

1. Use Docker Secrets:

   # Store GitHub tokens securely
   echo "your_token" > secrets/github_token.txt
   chmod 600 secrets/github_token.txt

2. Bind to Localhost Only:

   # docker-compose.yml
   ports:
     - "127.0.0.1:3000:3000"  # Not "3000:3000"

3. Regular Updates:

   # Keep Docker images updated
   docker-compose pull
   docker-compose up -d

4. Monitor Logs:

   # Watch for security events
   docker-compose logs -f | grep -i "error\|security\|unauthorized"

1. Never Commit Secrets:

   • Use .env.example templates
   • Add secrets to .gitignore
   • Use environment variables or Docker secrets

2. Run Security Scans:

   # Scan for vulnerabilities
   npm audit
   docker scout cves

3. Update Dependencies:

   # Keep packages current
   npm update
   npm audit fix

• CVE-2025-27210: Node.js path traversal (HIGH) - Monitor for patches
• CVE-2025-23085: HTTP/2 memory leak (MEDIUM) - Limited impact
• CVE-2025-23165: fs.ReadFileUtf8 corruption (LOW) - Minimal risk

1. Network Isolation: Default localhost binding limits exposure
2. Input Validation: Comprehensive input sanitization
3. Resource Limits: CPU/memory constraints prevent DoS
4. Health Monitoring: Automated health checks detect issues

• GitHub token stored in Docker secrets (not environment)
• Ports bound to localhost only (127.0.0.1:3000:3000)
• Base images updated to latest secure versions
• Security context configured (no-new-privileges:true)
• Secrets directory excluded from git (.gitignore)
• File permissions set correctly (chmod 600 for secrets)

• Regular security audits (npm audit, docker scout)
• Log monitoring for suspicious activity
• Network monitoring and intrusion detection
• Regular backup of cache data
• Incident response plan documented
• Security patches applied promptly

• Security Team: security@liquescent.dev
• General Issues: GitHub Issues
• Security Advisories: GitHub Security

We follow responsible disclosure and will:

1. Acknowledge security reports within 48 hours
2. Provide timeline for fixes within 7 days
3. Release security patches as soon as possible
4. Credit security researchers (with permission)

• Docker Security Best Practices
• Node.js Security Best Practices
• OWASP Container Security
• Alpine Linux Security