Security
Ember has been written with the assumption that it will be exposed to the public internet behind a reverse proxy. This page lists the defenses in place and the deployment expectations.
For vulnerability reporting, see SECURITY.md. Don't open public issues for security problems.
Authentication
- Passwords: argon2id (
time=3,memory=64 MiB,parallelism=2, salt=16 bytes). Meets OWASP 2024 recommendations. - Sessions: 64-hex-char random IDs signed via
gorilla/securecookie. Server-side row insessionstable backs every cookie. Default lifetime 24 hours; override viaEMBER_SESSION_TTLenv var or Settings → Sessions (bounded 5 min – 90 days). Destroyed on logout, login (fixation defense), and on password change (both self-service and admin). - Cookies:
HttpOnly,Secure,SameSite=Strict, scoped to/. - Rate limiting: per-IP token bucket on
POST /api/auth/loginandPOST /api/auth/passkey/*(burst 10/min). A second, higher-burst bucket (30/min) guards the expensive authenticated endpoints — add-feed, feed discovery, edit-feed (URL repoint), refresh-feed, refresh-all-feeds, resummarize(-all), OPML import, TT-RSS import (file + live API), starter-pack import, article extract, the image proxy (GET /api/img), and search — which spawn outbound fetches / goroutines / FTS work. "Refresh all" additionally bounds its detached refresh goroutines with a global semaphore so concurrent requests can't pile work onto the single SQLite writer. Buckets key on the real client IP (see Transport / proxy expectations for how that's resolved). - Passkeys / WebAuthn: optional second sign-in method (FIDO2). Credentials are bound to a relying-party ID derived from
EMBER_PUBLIC_URL; ceremonies expire after 5 minutes; a stalewebauthn_sessionsrow is reaped on a 15-minute cadence. Credentials never leave the device — only the public key is stored. The passkey login-begin path runs a throwaway credential lookup on an unknown username so its response timing matches the found-user path (no username enumeration). - Account email: the self-service email change (
PATCH /api/me/email) requires the current password (re-auth), so a stolen session can't silently redirect the account's digest mail. Email addresses are unique (case-insensitive) so two accounts can't converge on one address.
Authorization
| Endpoint group | Required |
|---|---|
/healthz | none |
POST /api/auth/login | none (login is the bootstrap) |
All other /api/* | session cookie |
POST /api/users, PATCH /api/users/{id}, admin LLM, branding, DB, settings | is_admin = 1 |
GET /api/admin/settings, PATCH /api/admin/settings, POST /api/admin/settings/email-test | is_admin = 1 |
/metrics | is_admin = 1 |
GET /api/users | returns {id, username} projection for non-admins |
Every user-scoped store query carries WHERE user_id = ? so users can't read each other's feeds, shares, tags, or saved searches. Article tag endpoints additionally call requireArticleAccess, which confirms the user is subscribed to the article's feed before allowing tag mutations.
The admin file-management endpoints that take a filename — DELETE /api/admin/db/backups/{name} and …/exports/{name} — reject any {name} that isn't a bare basename with the expected extension (.db / .opml), so a crafted value can't traverse out of the configured backup/export directory. Per-user filter import (POST /api/filters/import) validates each rule through the same ParseMatch / ValidateActionWithValue path as a manual create and silently skips anything invalid or beyond the per-user cap, so a hand-edited bundle can't inject malformed rules.
CSRF
Double-submit pattern. A random ember_csrf cookie (16 crypto/rand bytes hex-encoded, SameSite=Strict, not HttpOnly so the SPA can echo it) must be echoed in the X-Ember-CSRF header on every state-changing request (POST, PATCH, DELETE). The header/cookie compare is constant-time.
Two safe exceptions:
POST /api/auth/login— bootstrap, no session cookie yet.- Anonymous requests to
GETendpoints — no session means nothing to forge.
The login bypass uses exact path match, not suffix match.
SSRF protection
Every outbound URL fetch passes through internal/urlcheck.Check:
- Scheme allowlist:
http,https. Everything else (file,gopher,javascript) is refused. - Private-IP block: literal IPs and DNS resolutions inside RFC1918 (
10/8,172.16/12,192.168/16), loopback (127/8,::1), link-local (169.254/16— also the AWS / GCP / Azure metadata endpoint — andfe80::/10), CGNAT (100.64/10), unspecified (0.0.0.0/8), and IPv6 ULA (fc00::/7) are refused. - Port block: well-known non-web service ports (SSH
22, SMTP25, Redis6379, Memcached11211, common databases, …) — a curated subset of the WHATWG "bad ports" list — are refused. A feed always lives on a web port, so this closes a blind port-scan oracle without affecting real feeds, and it applies even underEMBER_ALLOW_PRIVATE_URLS. - Redirect chains: feed fetcher rejects 30x to private addresses via
feed.RedirectGuard. The Ollama summarizer client refuses to follow redirects at all (its base URL is admin-set and often loopback, so it gets the redirect guard but not the private-IP block). - Opt-in bypass:
EMBER_ALLOW_PRIVATE_URLS=1skips the IP check for homelabs that need LAN feeds. Scheme allowlist still applies.
Surfaces covered:
POST /api/feeds(add feed)PATCH /api/feeds/{id}(edit feed — a changed source URL is validated and re-fetched before the subscription is re-pointed; the route is rate-limited like add-feed)POST /api/feeds/discover(multi-feed picker — the target page and every advertised feed link is validated before fetching)POST /api/feeds/import(OPML import — eachxmlUrlis filtered)POST /api/feeds/import-ttrss-api(TT-RSS live pull / full migrate — the API endpoint is validated and the client carriesfeed.RedirectGuard; the user-supplied TT-RSS credentials are held only for the request and never persisted). When subscriptions are migrated, every feed URL returned bygetFeedsis run throughurlcheck.Checkbefore subscribing (a blocked URL is skipped, not fatal). The file uploadPOST /api/feeds/import-ttrssmakes no outbound request, andjavascript:/data:article links in the export are dropped.- Poller readability enrichment (Lobsters / HN aggregator → external link)
- Feed fetcher redirects
POST /api/articles/{id}/extract(on-demand Re-extract) — runs the sameurlcheck.Checkbefore fetching the article URL through readability.GET /api/img(same-origin image proxy) — the requested URL must carry a valid HMAC signature the server issued when it rewroteimage_url(so a client can't point the proxy at an arbitrary host), and is then run throughurlcheck.Checkbefore fetching. Onlyimage/*responses are streamed back, size- (10 MiB) and time- (15 s) bounded. The outbound client usesurlcheck.GuardedTransport, so the private-IP block also covers the actual dial.
The admin-only POST /api/admin/settings/email-test opens an SMTP TCP connection to the admin-supplied host:port. This is by design: the same connection happens every 5 minutes from the digest sender when SMTP is configured. Access is gated by is_admin = 1 so a non-admin can't use it as a port-scan or relay-probe primitive. On failure the endpoint returns a generic message; the underlying SMTP/TLS/DNS error (which can carry server banners, internal hostnames, or AUTH fragments) is logged server-side only.
SMTP transport
Outbound mail (digests + the test message) never sends credentials or message bodies in cleartext across the network:
EMBER_SMTP_STARTTLS=1(default) requires STARTTLS — if the server doesn't advertise it (or a MitM strips it from the EHLO response), the send fails rather than downgrading to plaintext. The TLS handshake pinsMinVersion: TLS 1.2and verifies the server certificate.EMBER_SMTP_STARTTLS=0(plain SMTP) is permitted only to a loopback host (localhost/127.0.0.1/::1) — a local relay or sidecar. Plain SMTP to any remote host is refused before the connection opens.
Body limits
decodeJSONwraps the body inhttp.MaxBytesReadercapped at 1 MiB.- OPML import body capped at 8 MiB (and the parser reads at most 10 MiB).
- TT-RSS file import capped at 50 MiB (the streaming XML parser reads at most that); the live API pull paginates and stops at 100k articles, and the subscription migration paginates
getFeedsand stops at 10k feeds. - Fever (
/fever) form body capped at 64 KiB. - Request headers capped at 64 KiB (
http.Server.MaxHeaderBytes). /api/articles/read(and other bulk endpoints) accept at most 1000 ids per request;/api/articles?limit=is clamped to 200.- Readability extraction (poller enrichment +
POST /api/articles/{id}/extract) caps the fetched page at 8 MiB before parsing; the feed fetcher caps response bodies at 16 MiB. - Each decoded inbound-email MIME part is capped at 16 MiB (base64 expands ~4:3, so a near-limit message can't balloon past the 25 MiB message ceiling).
GET /api/searchclampslimitto 100 andoffsetto 10000.
Error responses
5xx responses always read {"error": {"code": "internal", "message": "internal error"}}. The actual error is logged server-side via slog.Default().Error(...). No SQLite errors, file paths, or constraint details leak to clients. OPML / TT-RSS import and multipart-parse failures likewise return a generic 400 ("could not read the uploaded file" / "check the file is a valid … export"); the underlying XML offset, SQLite constraint, or temp-path detail is logged only.
Ollama upstream errors (502 from /api/admin/llm/pull etc.) return generic "Ollama refused the pull" messages; the upstream text goes to logs.
Transport / proxy expectations
Ember serves plain HTTP only — it has no TLS listener. The supported deployment terminates TLS in a fronting proxy (Caddy, in the bundled compose) and forwards to :8080. Ember's :8080 should never be reachable directly from the internet.
- Trusted proxies:
X-Real-IP(rate-limit keying) andX-Forwarded-Proto(HTTPS detection) are honored only from peers inEMBER_TRUSTED_PROXIES. The default is empty — trust nobody: Ember treats itself as the edge and reads the real client from the connection, ignoring those headers. SetEMBER_TRUSTED_PROXIESto your proxy's address/range (the bundled compose sets it to the Caddy bridge range). This closes the spoofing gap where a same-LAN or same-Docker-network peer could forgeX-Real-IPto bypass the limiter or poison logs. - HSTS is emitted only over HTTPS — when the request arrives over TLS, or a trusted proxy reports
X-Forwarded-Proto: https. Browsers ignore HSTS received over plain HTTP (RFC 6797), so it is never sent on a bare-HTTP connection. - Cookies carry
Secureby default. Behind a TLS proxy that's correct. For a deliberate plain-HTTP deployment (e.g. private VPN) setEMBER_SECURE_COOKIES=false, otherwise browsers drop the cookie over HTTP and login silently fails. Ember logs a startup warning when it's bound to a non-loopback address withSecurecookies on and no trusted proxy configured. Permissions-Policy,X-Frame-Options: DENY,X-Content-Type-Options: nosniff, COOP, CORP, and a locked-down CSP (default-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none') are set on every response, including 404/405 and error responses. The CSP intentionally allowsimg-src https:(inline<img>inside article bodies still load from third-party publisher CDNs; the card/reader lead image is proxied same-origin via/api/img— see Image proxy below — but body images are not),img-src data:(the dynamic tab favicon, a canvas-rasterizeddata:image/pngwith the unread-dot overlay), andstyle-src 'unsafe-inline'(the SPA's scoped styles) — accepted trade-offs for a self-hosted reader.
Image proxy
The card thumbnail and the reader's lead image are served from Ember's own origin via GET /api/img rather than fetched directly from the publisher's CDN. Content/tracker blockers (uBlock Origin, Privacy Badger, …) match on those CDN domains and would otherwise silently strip the lead image (e.g. Fox News' a57.foxnews.com); routed same-origin it loads normally.
- Capability, not an open relay: the API rewrites
image_urlto/api/img?u=<src>&s=<sig>at serve time, wheresigis an HMAC oversrckeyed by a value derived fromEMBER_SESSION_KEY(domain-separated so it can't be confused with session/CSRF use)./api/imgverifies the signature in constant time before any network I/O, so a client can't aim the proxy at an arbitrary host. - Bounded + guarded: the source URL also passes
urlcheck.Check, and the outbound client usesurlcheck.GuardedTransport(private-IP block on the real dial). Onlyimage/*responses are returned, capped at 10 MiB and a 15 s timeout. - Stateless: stream-through with a 1-day
Cache-Control(browser/proxy cache); no server-side image cache. Scoped to the lead image — inline body<img>are left pointing at their origin CDN, which is whyimg-src https:stays in the CSP.
Database
- SQLite WAL with single-writer semantics.
MaxOpenConns=1to avoidSQLITE_BUSYstorms. synchronous=NORMAL(safe with WAL),busy_timeout=5s, 64 MiB cache, 256 MiB mmap.- Backups via
VACUUM INTOare safe to run live and produce a compacted snapshot.
Secrets at rest
Admin-editable secrets — currently the SMTP password (smtp_password key in app_settings) — are stored as plaintext in the SQLite database. This matches the storage model when the same value is supplied via EMBER_SMTP_PASSWORD (env vars are also plaintext, just in .env rather than ember.db).
Protect the SQLite file at the filesystem layer:
- Docker compose mounts
ember-data:/data(root-owned inside the container). - Backups produced by
/api/admin/db/backupinherit those permissions. Don't ship them to anywhere less trustworthy than the host. - Database-encryption-at-rest (SQLCipher) is not currently wired; if you need it, a future change would belong here.
Fever shim
The Fever-compatible endpoint (/fever) uses a per-user random 32-byte token stored in the fever_token column. Constant-time compare in the auth path. Lazy-backfilled on first /api/me hit for users created before the column existed. The token is shown to the owning user only via /api/me; admin user lists never include it.
unread_item_ids / saved_item_ids return the user's complete id set (a Fever client diffs it against local state) — they are intentionally uncapped, so the response scales with the per-user unread/saved backlog (small integers; authenticated and per-user). Bulk item content is fetched only through the paginated items surface (since_id / max_id / with_ids, ≤ 50 per call).
CVE posture
- Go stdlib pinned to 1.26.4.
- CI runs
go vet,golangci-lint, andgovulncheckon every push. - Dependabot opens PRs weekly for
gomod+npmupdates.