The main branch of this repository is the only supported version. Production
deployments mirror main via Google Cloud Build → Cloud Run. There are no
maintenance branches.
| Branch | Supported |
|---|---|
main |
✅ |
| Anything else | ❌ |
If you believe you have found a security issue in this lab, please:
- Do not open a public GitHub issue. Public disclosure before a fix is in production puts users at risk.
- Email contact@dmj.one with the subject
[security] dip-practical. Include a description, reproduction steps, and the affected URL or commit hash. PGP key available on request. - You will receive an acknowledgement within 72 hours.
- Coordinated disclosure: a fix is rolled to production before any public advisory. We will credit reporters on request.
- Cloudflare in front of the origin; HTTPS only; HSTS preloaded.
- Werkzeug
ProxyFixis configured to trustX-Forwarded-*from the Cloud Run / Cloudflare hop only — seeapp/__init__.py. - Strict
Content-Security-Policy,X-Content-Type-Options: nosniff,Referrer-Policy: strict-origin-when-cross-origin, andPermissions-Policyheaders — seedeploy/nginx-site.conf. - No secrets in the repository. The only outbound call is the one-time dataset download from imageprocessingplace.com, cached locally.
- Dependency pins in
requirements.txtresolve every Dependabot advisory open onmainat release time.
- Issues that require physical access to the user's device.
- Self-XSS that requires the user to paste attacker-controlled scripts into their browser console.
- Known limitations of unauthenticated public demos (e.g. compute-time exhaustion via repeated POSTs); rate limiting lives at the Cloudflare edge, not in this codebase.