From 55382cecc24d45971321a90d68c1f42693ee2b10 Mon Sep 17 00:00:00 2001 From: Ellpeck Date: Mon, 25 Sep 2023 14:01:44 +0200 Subject: [PATCH] security info --- server/public/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/server/public/index.md b/server/public/index.md index 6350883..df7fbe2 100644 --- a/server/public/index.md +++ b/server/public/index.md @@ -21,6 +21,8 @@ There are two ways to manage shared notes: you can open the context menu on a sh Both allow a set of actions, including sharing the link, updating the share and deleting the share. When updating the share, the link will stay intact, but it will be updated with the note's new content. ## How it Works (and Security) +**To report a security vulnerability, please use GitHub's [private vulnerability reporting](https://github.com/Ellpeck/ObsidianJustSharePlease/security) feature or email [me@ellpeck.de](mailto:me@ellpeck.de).** + Just Share Please uses a simple [PHP backend](https://github.com/Ellpeck/ObsidianJustSharePlease/blob/main/server/public/share.php) that accepts requests for sharing, updating and deleting notes. When sharing a note, its content as well as additional metadata created by the backend is stored in the server's `data` directory. Note content is stored **in plain text**, which means server admins are able to observe all notes and their content and potentially edit them. However, for users of Just Share Please to update or delete a shared note, they have to have access to a **password** that is automatically generated by the backend when sharing a note. You don't have to remember this password yourself, as it is automatically saved in the plugin's settings file. This also means that **deleting your settings** causes you to **lose access to all your shares**.