# Security Documentation Index

This directory contains security-related documentation, vulnerability analyses, and security best practices.

## Security Guides

- **[indieauth-endpoint-discovery-security.md](indieauth-endpoint-discovery-security.md)** - Security considerations for IndieAuth endpoint discovery

## Security Topics

### Authentication & Authorization
- IndieAuth security
- Token management
- Session security

### Data Protection
- Secure storage
- Encryption
- Data privacy

### Network Security
- HTTPS enforcement
- Endpoint validation
- CSRF protection

## Security Principles

StarPunk follows these security principles:
- **Secure by Default**: Security is enabled by default
- **Minimal Attack Surface**: Fewer features mean fewer vulnerabilities
- **Defense in Depth**: Multiple layers of security
- **Fail Closed**: Deny access when uncertain
- **Principle of Least Privilege**: Minimal permissions by default

## Reporting Security Issues

If you discover a security vulnerability:
1. **Do NOT** create a public issue
2. Email security details to project maintainer
3. Allow time for patch before disclosure
4. Coordinated disclosure benefits everyone

## Related Documentation
- **[../decisions/](../decisions/)** - Security-related ADRs
- **[../standards/](../standards/)** - Security coding standards
- **[../architecture/](../architecture/)** - Security architecture

---

**Last Updated**: 2025-11-25
**Maintained By**: Documentation Manager Agent