Only the latest released version of KtorMonitor is actively supported with security updates.
| Version | Supported |
|---|---|
| latest | ✅ |
| older | ❌ |
If you discover a security vulnerability in KtorMonitor, please do not open a public GitHub issue.
Instead, report it privately using one of the following methods:
- GitHub Private Vulnerability Reporting: Use the Security Advisory feature on GitHub to submit a private report.
- Email: Send details to the maintainer at the email address listed on the GitHub profile.
Please provide as much of the following information as possible to help us understand and resolve the issue quickly:
- A description of the vulnerability and its potential impact.
- The affected module(s) (e.g.,
ktor-monitor-core,ktor-monitor-logging,ktor-monitor-okhttp-interceptor,ktor-monitor-http4k-filter). - Steps to reproduce or a proof-of-concept.
- The version(s) of KtorMonitor affected.
- Any suggested mitigation or fix, if available.
- We will acknowledge receipt of your report within 72 hours.
- We will investigate the issue and keep you informed of our progress.
- Once a fix is ready, we will coordinate a release and give credit to the reporter (unless you prefer to remain anonymous).
- A public security advisory will be published after the fix is released.
This security policy covers all published library modules under the ro.cosminmihu.ktor group:
ktor-monitor-corektor-monitor-core-no-opktor-monitor-loggingktor-monitor-logging-no-opktor-monitor-okhttp-interceptorktor-monitor-okhttp-interceptor-no-opktor-monitor-http4k-filterktor-monitor-http4k-filter-no-op
Sample applications and documentation are out of scope.
KtorMonitor is a debugging and development tool. It is designed to intercept and display HTTP traffic, which by nature includes potentially sensitive data (headers, request/response bodies, authentication tokens, etc.).
Important recommendations:
- Never use KtorMonitor in production builds. Use the
*-no-opartifacts (e.g.,ktor-monitor-logging-no-op) for release/production builds. These are ABI-compatible but perform no interception or storage. - All intercepted data is stored locally in an SQLite database on the device/machine; it is never transmitted externally by this library.
- Retained call data can be cleared at any time from the KtorMonitor UI.
- Limit the
retentionPeriodandmaxContentLengthsettings to reduce the amount of sensitive data stored on the device.
KtorMonitor is licensed under the Apache License 2.0.