Latest Security Audit: ✅ PASSED (Zero Critical Vulnerabilities)
OWASP Top 10 Compliance: ✅ Verified
Last Audit Date: Phase 6 Completion (Commit: 7baf838)
Open-Meteo MCP Server implements enterprise-grade security:
- Authentication: Dual authentication (JWT + API Keys) with HMAC-SHA512
- Authorization: Role-Based Access Control (RBAC) - PUBLIC, MCP_CLIENT, ADMIN
- Audit Logging: Comprehensive security event logging (10,000+ events tracked)
- Performance: JWT validation <50ms, API key validation <100ms
- Spring Security 7: Latest security framework with OAuth2 Resource Server
- JJWT 0.11.5: Industry-standard JWT implementation
See ARCHITECTURE.md for detailed security architecture.
| Version | Supported | Notes |
|---|---|---|
| 2.0.x | ✅ | Current (Phase 6 Complete) |
| 1.2.x | ✅ | Security backports only |
| < 1.2 | ❌ | Upgrade required |
We take security vulnerabilities seriously. Please report security issues responsibly.
- DO NOT open a public GitHub issue for security vulnerabilities
- Email security reports to the repository owner (check GitHub profile)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Your contact information
- Initial Response: Within 48 hours
- Status Update: Every 7 days until resolution
- Fix Timeline: Critical issues within 7-14 days, others within 30 days
If Accepted:
- We will confirm the vulnerability and its severity
- We will develop and test a fix
- We will release a security patch
- We will credit you in the release notes (if desired)
If Declined:
- We will explain why it's not considered a vulnerability
- We may suggest alternative solutions or configurations
- We will remain open to further discussion
When deploying this server:
- JWT Secret: Use minimum 64-character random secret for
JWT_SECRET - API Keys: Store API keys securely (environment variables, secrets manager)
- HTTPS Only: Always use TLS/HTTPS in production
- Rate Limiting: Configure appropriate rate limits for your use case
- Monitoring: Enable security audit logging and monitor for anomalies
- Updates: Keep dependencies updated (run
mvn versions:display-dependency-updates)
- GitHub Issues: For general security questions (non-vulnerabilities)
- GitHub Security Advisories: For coordinated vulnerability disclosure
- Email: For private security reports (see repository owner profile)
- ARCHITECTURE.md - Security Layer documentation
- CHATHANDLER_README.md - Authentication examples
- BUSINESS_CAPABILITIES.md - Enterprise Security & Compliance capability