We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do NOT create a public GitHub issue for security vulnerabilities
2. Email the maintainer directly at: methorz@spammerz.de
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Resolution Timeline: Depends on severity (critical: ASAP, high: 30 days, medium: 90 days)

• Security fixes will be released as patch versions
• Credit will be given to reporters (unless anonymity is requested)
• A security advisory will be published for significant vulnerabilities

When using this package:

• Keep dependencies updated - Run composer update regularly
• Use latest PHP version - Security fixes are backported to supported versions only
• Use private caching for sensitive data - Never cache user-specific data publicly
• Understand cache scope - CDNs and proxies may cache public responses
• Review caching headers - Ensure sensitive endpoints don't get cached

// DANGEROUS: User-specific data with public caching
CacheControlDirective::create()->public(); // DON'T use for /api/user/profile

// SAFE: User-specific data with private caching
CacheControlDirective::create()->private(); // Good for /api/user/profile

• ETags are based on response body hash
• Don't include sensitive data that varies per user in cached responses
• Use weak ETags (W/) for semantically equivalent responses

• This middleware only handles validation (304 responses)
• Ensure upstream caches (CDNs) are properly configured
• Use Vary header for content negotiation

• Security Issues: methorz@spammerz.de
• General Issues: GitHub Issues

Thank you for helping keep this project secure!