Only the latest main branch and the most recent release receive security updates.
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
The backend binds to loopback (127.0.0.1) by default and restricts cross-origin requests to local origins. Torollo has no authentication; see the "Self-Hosting & Network Exposure" section of the README before exposing it to a network.
Please do not open a public issue for security vulnerabilities. Instead, report them privately by emailing youssefmoinou@gmail.com.
We take all security vulnerabilities seriously and will aim to acknowledge your report within 48 hours. We will then work on providing a patch or an update as quickly as possible.