Security

Current Baseline

Developer Dashboard now applies these runtime protections in the active codebase:

exact 127.0.0.1 with numeric host 127.0.0.1 is the only automatic local-admin trust path
helper access requires a stored helper account
helper usernames are restricted to safe filename characters
helper passwords must be at least 8 characters long
helper user files and helper session files are written with 0600 permissions
helper sessions are bound to the originating remote address
helper sessions expire automatically after 12 hours
session cookies use HttpOnly and SameSite=Strict
HTTP responses add Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Cache-Control: no-store

The active tree outside the read-only legacy reference tree is kept free of:

That legacy reference tree remains read-only reference material and is not modified or committed as part of the active runtime.

Run these checks:

prove -lr t

The published root security policy lives in SECURITY.md and currently directs private reports to:

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)