We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 0.6.x | ✅ |
| < 0.6 | ❌ |
This library implements several security features to protect sensitive financial data:
PINs and TANs are automatically masked in debug output to prevent accidental exposure in logs:
- Debug logging masks all credentials with
***MASKED*** - Request serialization for transmission still contains actual credentials (required for authentication)
- Never log the raw request object or configuration containing credentials
We regularly update dependencies and have replaced potentially insecure libraries:
- yaml instead of yamljs (more secure, actively maintained)
- All dependencies are regularly audited for known vulnerabilities
- TypeScript and build tools kept up-to-date
Always use HTTPS URLs for FinTS endpoints to ensure:
- Encrypted communication
- Server authentication
- Protection against man-in-the-middle attacks
DO:
- Store credentials in environment variables or secure vaults
- Use secret management services (AWS Secrets Manager, Azure Key Vault, etc.)
- Rotate credentials regularly
- Use unique credentials per application
DON'T:
- Hardcode credentials in source code
- Commit credentials to version control
- Log credentials or configuration objects containing credentials
- Share credentials across multiple applications
The debug option should be used cautiously:
- Development: Can be enabled for troubleshooting
- Production: Should always be disabled
- Debug logs may contain detailed request/response information
// Production configuration
const client = new PinTanClient({
url: process.env.FINTS_URL,
name: process.env.FINTS_USERNAME,
pin: process.env.FINTS_PIN,
blz: process.env.FINTS_BLZ,
debug: false, // Always false in production
});- Only connect to official bank FinTS endpoints
- Verify SSL/TLS certificates are valid
- Use the official FinTS institute database to find correct URLs
Handle errors carefully to avoid leaking sensitive information:
try {
const accounts = await client.accounts();
} catch (error) {
// ❌ Don't log the full error which might contain request details
console.error("Full error:", error);
// ✅ Log only safe error information
console.error("Failed to fetch accounts:", error.message);
}We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:
Public disclosure of security vulnerabilities before a fix is available puts all users at risk.
Report vulnerabilities privately using one of these methods:
- Create a security advisory through GitHub's Security tab
- Or contact the maintainers through other private channels
Please provide:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
We aim to:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 1 week
- Release a fix as quickly as possible (depends on severity)
- Credit reporters (unless anonymity is requested)
Security updates are released as:
- Patch versions for minor fixes (e.g., 0.6.1)
- Minor versions for larger changes (e.g., 0.7.0)
We recommend:
- Subscribe to repository notifications
- Regularly update to the latest version
- Review release notes for security-related changes
We follow responsible disclosure practices:
- Security issues are fixed privately
- A patch is prepared and tested
- A security advisory is published
- The fix is released
- Full details are disclosed after users have had time to update
Thank you for helping keep this library and its users secure!