Do not open a public GitHub issue for security vulnerabilities.

Report security issues privately through GitHub's private vulnerability reporting.

Include:

• A clear description of the vulnerability.
• The affected file(s) and line numbers where applicable.
• Steps to reproduce or a proof-of-concept (even a rough one helps).
• Your assessment of severity and exploitability.
• Any suggested remediation if you have one.

• Acknowledgement within 2 business days.
• Initial severity assessment within 5 business days.
• Critical / High issues targeted for remediation within 14 days.
• You will be credited in the release notes unless you prefer anonymity.

In scope for this repository:

• Nginx configuration: header injection, auth bypass, IP trust misconfiguration.
• Varnish VCL: cache poisoning, authenticated response leakage, bypass of pass/pipe rules.
• Apache configuration: privilege escalation, directory traversal, mis-scoped access rules.
• WordPress MU plugin (spx-upload-mimes.php): file upload bypass, MIME validation weaknesses.
• Secret handling: anything that could expose or weaken the Worker-to-Origin shared secret.

Out of scope:

• Cloudflare product vulnerabilities (report to Cloudflare directly).
• WordPress core or plugin vulnerabilities (report to the respective project).
• Theoretical / speculative issues with no realistic attack path.

Key security controls in this stack and where they live: