If you discover a security vulnerability in this plugin, please do not open a public GitHub issue.
Instead, please report it responsibly by emailing the maintainers directly or using GitHub's private vulnerability reporting.
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fixes (if you have them)
- We will acknowledge receipt within 48 hours
- We will provide an initial assessment within 1 week
- We will work with you to understand and resolve the issue before any public disclosure
This plugin injects Server-Timing headers that expose server-side timing information. By default, the plugin is *
disabled in production* to mitigate the risk
of timing attacks.
If you enable the plugin in production, be aware that:
- Timing data may help attackers infer information about server-side operations (e.g., whether a database lookup found a record)
- Cross-origin access to
Server-Timingdata requires theTiming-Allow-Originheader, which this plugin does not set automatically
See the W3C Server Timing Security Considerations for more details.
| Version | Supported |
|---|---|
| 0.x (latest) | Yes |