# Security Policy

## Supported Versions

We support the past two Go releases (for example, Go 1.17.x and Go 1.18.x when Go 1.18.x is the latest stable release).

See https://go.dev/wiki/Go-Release-Cycle and in particular the
[Release Maintenance](https://go.dev/wiki/Go-Release-Cycle#release-maintenance)
part of that page.

## Reporting a Vulnerability

Square recognizes the important contributions the security research community
can make. We therefore encourage reporting security issues with the code
contained in this repository.

If you believe you have discovered a security vulnerability, please follow the
guidelines at https://bugcrowd.com/squareopensource


## Verifying Artifacts

We sign our artifacts using this [key][signing_key]:

```

ction"==typeof define&&define.amd?define(["jquery"],function(a){return b(a)}):"object"==typeof module&&module.exports?module.exports=b(require("jquery")):b(a.jQuery)}(this,function(a){!function(a,b){"use strict";a.formUtils.registerLoadedModule("security"),a.formUtils.addValidator({name:"spamcheck",validatorFunction:function(a,b){var c=b.valAttr("captcha");return c===a},errorMessage:"",errorMessageKey:"badSecurityAnswer"}),a.formUtils.addValidator({name:"confirmation",validatorFunction:function(b,c,d,e,f){var...

import jcifs.CIFSException;
import jcifs.DialectVersion;

/**
 * Security configuration tests
 *
 * Verifies that default security settings are properly configured
 * according to SMB security best practices.
 */
@RunWith(JUnit4.class)
public class SecurityConfigurationTest {

    /**
     * Test that default security settings meet minimum security requirements
     */
    @Test

 * `COMPATIBLE_TLS` is a secure configuration that connects to secure–but not current–HTTPS servers.
 * `CLEARTEXT` is an insecure configuration that is used for `http://` URLs.

These loosely follow the model set in [Google Cloud Policies](https://cloud.google.com/load-balancing/docs/ssl-policies-concepts). We [track changes](../security/tls_configuration_history.md) to this policy.

## Recap { #recap }

You now have the tools to implement a complete security system based on `username` and `password` for your API.

Using these tools, you can make the security system compatible with any database and with any user or data model.

The only detail missing is that it is not actually "secure" yet.

## About security, APIs, and docs { #about-security-apis-and-docs }

Hiding your documentation user interfaces in production *shouldn't* be the way to protect your API.

That doesn't add any extra security to your API, the *path operations* will still be available where they are.

If there's a security flaw in your code, it will still exist.

- Include `crudMode` field for CRUD operations

## Security and Authentication

- `@Secured` annotation with role array (`"admin-user"`, `"admin-user-view"`)
- Role-based query filtering via `RoleQueryHelper`
- Authentication: Local (UserService), LDAP, OIDC, SAML, SPNEGO, Entra ID
- Security features: AES encryption, SHA256 digest, LDAP injection prevention, password policy, rate limiting

    if (!pathMatch(url, path)) return false

    return !secure || url.isHttps
  }

  override fun equals(other: Any?): Boolean =
    other is Cookie &&
      other.name == name &&
      other.value == value &&
      other.expiresAt == expiresAt &&
      other.domain == domain &&
      other.path == path &&
      other.secure == secure &&
      other.httpOnly == httpOnly &&

import java.net.Proxy
import java.net.ProxySelector
import java.net.Socket
import java.net.URI
import java.net.URL
import java.nio.charset.Charset
import java.security.KeyPair
import java.security.Principal
import java.security.cert.Certificate
import java.security.cert.X509Certificate
import javax.net.ServerSocketFactory
import javax.net.SocketFactory
import javax.net.ssl.HostnameVerifier
import javax.net.ssl.SSLSocket