Please do not open a public GitHub issue for security vulnerabilities.
Instead, report them privately via GitHub's private vulnerability reporting ("Report a vulnerability" under the repository's Security tab), or by emailing the maintainer.
Please include steps to reproduce and the affected version/commit. You can expect an initial response within a few days.
- tg-feed runs as a Telegram userbot on a dedicated account. Treat
TG_SESSION_STRING,TG_SESSION_ENCRYPTION_KEY,SESSION_SECRET,WEB_PASSWORD, andTG_BOT_TOKENas secrets — never commit them..envis gitignored by default. - The web UI is password- or Telegram-login gated and is intended to be deployed behind a TLS-terminating reverse proxy (Telegram Mini Apps require HTTPS).