docs: SECURITY.md ( Fixes #12 )

StartAutomating · StartAutomating · commit a748a6e75175 · 2024-11-27T08:05:20.000Z
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
@@ -0,0 +1,19 @@
+# Security
+
+We take security seriously.  If you believe you have discovered a vulnerability, please [file an issue](https://github.com/PowerShellWeb/WebSocket/issues).
+
+## Special Security Considerations
+
+WebSockets are not inherantly dangerous, but what comes out of them might well be.
+
+In order to avoid data poisoning attacks, please _never_ directly run any code from the internet that you do not trust.
+
+Please also assume all WebSockets are untrustworthy.
+
+There are a few easy ways to do this.
+
+WebSocket responses should never:
+
+1. Be piped into `Invoke-Expression`
+2. Be expanded with `.ExpandString`
+3. Be directly placed into a `SQL` query
