Use this section to tell people about which versions of Wiki-Go are currently being supported with security updates.
| Version | Supported |
|---|---|
| latest | ✅ |
We take the security of Wiki-Go seriously. If you believe you've found a security vulnerability, please follow these steps:
- Do not disclose the vulnerability publicly or on the public issue tracker.
- Submit your findings through our contact form.
- Allow time for us to review and address the vulnerability before any public disclosure.
- We'll respond as quickly as possible to acknowledge receipt of your report.
Wiki-Go includes several security features:
- Password Storage: All passwords are hashed using bcrypt with appropriate cost factors.
- Authentication: Session-based authentication with secure, HTTP-only cookies.
- TLS Support: Built-in TLS support for encrypted connections.
- Role-Based Access Control: Fine-grained permissions through admin, editor, and viewer roles.
- File Upload Validation: MIME type checking for uploaded files (can be disabled if needed).
- Private Wiki Mode: Option to require authentication for all pages.
- Login Rate Limiting: Built-in protection against brute force attacks by temporarily banning IP addresses after multiple failed login attempts, with exponential backoff.
Wiki-Go includes built-in protection against brute force attacks by temporarily banning IP addresses after multiple failed login attempts.
- Monitoring Failed Attempts: The system tracks failed login attempts by IP address.
- Exponential Backoff: Ban durations double with each subsequent failure, providing increasing protection against persistent attacks.
- Configurable Parameters: All aspects of the rate limiting system can be customized via the admin interface.
- Persistence: Ban data is stored in
data/temp/login_ban.jsonand persists across application restarts.
The login ban system is enabled by default with the following settings:
- Enabled: Yes
- Maximum Failures: 3 (failures before triggering a ban)
- Window Time: 30 seconds (time window in which failures are counted)
- Initial Ban Duration: 60 seconds (length of the first ban)
- Maximum Ban Duration: 86400 seconds (24 hours, upper limit for exponential backoff)
- First 3 failures → Standard error message ("Invalid username or password")
- After 3 failures → 1-minute ban with message "Too many failed login attempts; try again later"
- After ban expires, next failure → 2-minute ban (doubling each time)
- Ban durations continue doubling up to the configured maximum
- Successful login resets all ban state for that IP address
Administrators can adjust the login ban settings through:
- Admin Interface: Settings → Security tab
- Config File: Edit the
securitysection inconfig.yaml
Example config.yaml section:
security:
login_ban:
enabled: true
max_failures: 5
window_seconds: 180
initial_ban_seconds: 60
max_ban_seconds: 86400 # 24 hours- Regular failed login: "Invalid username or password"
- Banned state: "Too many failed login attempts; try again later"
- When banned, the client also receives HTTP status 429 (Too Many Requests) with a "Retry-After" header
For secure deployment of Wiki-Go, we recommend:
- Always use HTTPS in production environments.
- Set
allow_insecure_cookies: false(the default) to enforce secure cookies. - Change the default admin password immediately after installation.
- Set strong passwords for all accounts, especially admin accounts.
- Enable login rate limiting through the security settings to prevent brute force attacks.
- Regularly update to the latest version for security patches.
- Use a reverse proxy like Nginx, Caddy, or Traefik for additional security layers.
- Back up your data regularly to prevent data loss.
- Set appropriate file upload size limits to prevent denial of service attacks.
- Regularly review user accounts to ensure only authorized users have access.
Wiki-Go uses Go modules for dependency management. All dependencies are vendored to ensure reproducible builds.
Our security practices include:
- Regular code review with a focus on security
- Input validation to prevent injection attacks
- Proper error handling to avoid information leakage
- Use of standard libraries for cryptographic operations
- Secure session management
- Principle of least privilege for user roles
No known security issues at this time.
For security concerns, please use our contact form.