We take the security of MockAuth seriously. If you discover a security vulnerability, please follow these steps:

1. DO NOT open a public GitHub issue
2. Email security concerns to: security@mockauth.dev
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: Within 7 days
  • High: Within 14 days
  • Medium: Within 30 days
  • Low: Next release cycle

MockAuth is designed as a development and testing tool, not for production use. However, if you choose to use it:

• Use strong, unique JWT secrets
• Enable HTTPS in production
• Implement rate limiting
• Use environment variables for secrets
• Enable audit logging
• Regularly update dependencies

• Use default secrets in production
• Expose MockAuth directly to the internet
• Store sensitive production data
• Use in production without security review
• Ignore vulnerability warnings

MockAuth includes several security features:

• bcryptjs password hashing (10 rounds)
• JWT token-based authentication
• Helmet.js security headers
• Rate limiting (configurable)
• CORS protection
• Account lockout after failed attempts
• Session management with expiry
• Audit logging for compliance

As a mock/development tool, MockAuth has some limitations:

1. Not Battle-Tested: Unlike production auth systems (Auth0, Firebase, Better-Auth), MockAuth hasn't been battle-tested at scale
2. Email/SMS Mocked: Email and SMS verification are simulated
3. In-Memory Default: Default storage is in-memory (use database for persistence)
4. No Professional Security Audit: Has not undergone professional security auditing

Check our GitHub Security Advisories for current vulnerabilities.

None reported to date (as of v1.1.0)

Subscribe to security updates:

• Watch this repository on GitHub
• Follow @mockauth on Twitter
• Check CHANGELOG.md for security fixes

MockAuth includes features for compliance with:

• GDPR (General Data Protection Regulation)
• HIPAA (Health Insurance Portability and Accountability Act)
• SOX (Sarbanes-Oxley Act)
• PCI-DSS (Payment Card Industry Data Security Standard)

However, using MockAuth does NOT guarantee compliance. Consult with compliance experts for production systems.

We regularly monitor dependencies for vulnerabilities using:

• npm audit
• GitHub Dependabot
• Snyk (planned)

Run security audit:

npm audit

Update dependencies:

npm update
npm audit fix

const { MockAuth } = require('mockauth');

const auth = new MockAuth({
  port: 3001,
  
  // ✅ Use strong, unique secrets
  jwtSecret: process.env.JWT_SECRET, // From environment
  
  // ✅ Enable security features
  enableAccountLockout: true,
  maxLoginAttempts: 5,
  lockoutDuration: '15m',
  
  // ✅ Strong password policy
  passwordPolicy: {
    minLength: 12,
    requireUppercase: true,
    requireNumbers: true,
    requireSpecialChars: true,
  },
  
  // ✅ Strict CORS
  cors: {
    origin: process.env.ALLOWED_ORIGINS?.split(','),
    credentials: true,
  },
  
  // ✅ Rate limiting
  rateLimit: {
    windowMs: 15 * 60 * 1000,
    max: 100,
  },
  
  // ✅ Audit logging
  enableAuditLog: true,
  logLevel: 'info',
});

For security concerns:

• Email: security@mockauth.dev
• GitHub: @mockauth

See LICENSE for license information.

Last Updated: 2025-10-14 Version: 1.1.0