The Astroxs team takes security seriously. We appreciate your efforts to responsibly disclose your findings.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please send an email to security@astroxs.dev (or create a private security advisory on GitHub).
Include as much information as possible:
- Type of vulnerability
- Full paths of source files related to the issue
- Location of the affected code
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability
- We will acknowledge your email within 48 hours
- We will provide a more detailed response within 7 days
- We will work with you to understand and resolve the issue
- We will publicly disclose the issue after a fix is released
When using Astroxs:
- Change default credentials immediately after installation
- Use strong passwords for all user accounts
- Enable HTTPS in production environments
- Keep dependencies updated (composer update)
- Disable commands in production by setting
ASTROXS_DISABLE_COMMANDS=true - Use environment variables for sensitive configuration
- Implement rate limiting on authentication endpoints
- Regular security audits of your user roles and privileges
- Monitor suspension logs for unusual activity
- Rotate tokens regularly for high-privilege accounts
| Version | Supported |
|---|---|
| 1.x | ✅ |
Astroxs includes several security features:
- Laravel Sanctum token authentication
- Automatic token revocation on suspension
- Protected roles that cannot be deleted
- Role and privilege caching for performance
- Audit logging middleware
- Secure password hashing (bcrypt)
- CSRF protection (via Laravel)
- SQL injection prevention (via Eloquent)
Thank you for helping keep Astroxs and its users safe!