We maintain security updates for the following versions of Community.Microsoft.Extensions.Caching.PostgreSql:
| Version | Supported |
|---|---|
| 4.0.x | ✅ |
| 3.x.x | ❌ |
| < 3.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:
-
Do Not open a public GitHub issue for the vulnerability.
-
Send a detailed report to our security team by opening a private security advisory
- A clear description of the vulnerability
- Steps to reproduce the issue
- Versions affected
- Potential impact
- Any possible mitigations you've identified
-
Acknowledgment: We aim to acknowledge receipt of your report within 48 hours.
-
Updates: We will keep you informed about:
- Our progress in investigating the issue
- Any questions we have about the report
- The timeline for releasing a fix
-
Fix Development: Once validated, we will:
- Develop and test a fix
- Prepare security advisory documentation
- Release the fix following our standard release process
-
Public Disclosure: We will coordinate with you on the timing of public disclosure.
When using Community.Microsoft.Extensions.Caching.PostgreSql in your applications, consider these security recommendations:
-
Database Access
- Use a dedicated PostgreSQL user with minimal privileges
- Restrict the user's access to only the cache schema and tables
- Use connection string encryption in production
-
Connection String Security
// Do not store connection strings in code services.AddPostgreSqlCache(options => { options.ConnectionString = Configuration.GetConnectionString("PostgreSqlCache"); // ... });
-
Schema Isolation
- Use a separate schema for cache tables
- Implement proper access controls at the database level
-
Data Protection
- Consider encrypting sensitive cached data before storage
- Implement proper key rotation policies
- Use HTTPS for all communications in distributed scenarios
- Security updates are released as soon as possible after validation
- Updates follow semantic versioning
- Breaking changes in security updates are avoided when possible
- Security advisories will be published on our GitHub repository
The package includes basic audit logging through ILogger. To enhance security monitoring:
- Configure appropriate log levels
- Enable structured logging
- Monitor cache operations through logs
- Implement alerts for suspicious patterns, such as failed login attempts or suspicious activity.
-
Connection Pooling
services.AddPostgreSqlCache(options => { options.DataSourceFactory = () => { var dataSourceBuilder = new NpgsqlDataSourceBuilder(connectionString); dataSourceBuilder.EnablePooling(); dataSourceBuilder.MaxPoolSize = 50; // Adjust based on your application's requirements return dataSourceBuilder.Build(); }; });
-
Timeout Settings
services.AddPostgreSqlCache(options => { options.CommandTimeout = TimeSpan.FromSeconds(30); // Adjust based on your application's requirements // ... });
If you want to contribute security improvements:
- Follow the standard contribution process in CONTRIBUTING.md
- Include security impact in pull request descriptions
- Add tests for security-related changes
- Update security documentation as needed
Security-related contributions are subject to the same MIT License as the main project.