feat: Settings hub, automation API, bundled docs, npm migration

.snyk

@@ -0,0 +1,15 @@
+# Snyk policy — accepted risks, false positives, and paths excluded from Snyk Code.
+version: v1.25.1
+ignore:
+  SNYK-JS-EXPRESSFILEUPLOAD-2635697:
+    - "*":
+        reason: No patched express-fileupload release; upload hardened in backend/app.js (limits, safeFileNames).
+        created: 2026-06-03T00:00:00.000Z
+        expires: 2027-06-03T00:00:00.000Z
+  SNYK-JS-EXPRESSFILEUPLOAD-2635946:
+    - "*":
+        reason: No patched express-fileupload release; upload hardened in backend/app.js (limits, safeFileNames).
+        created: 2026-06-03T00:00:00.000Z
+        expires: 2027-06-03T00:00:00.000Z
+exclude: {}
+patch: {}

README.md

@@ -35,6 +35,9 @@ so that the barrier to entry here is low.
 - Access Lists and basic HTTP Authentication for your hosts
 - Advanced Nginx configuration available for super users
 - User management, permissions, and audit log
+- **Credential vault** on the `/data` volume (encrypted DNS API tokens, optional external stores via OIDC)
+- **Automation API** (API keys, async certificate jobs, signed webhooks) — see [docs](docs/src/advanced/automation-api.md)
+- **Settings** UI for DNS credentials, external credential stores, API keys, and webhooks (see [SECURITY.md](SECURITY.md) for reporting vulnerabilities)
 
 ::: warning
 `armv7` is no longer supported in version 2.14+. This is due to Nodejs dropping support for armhf. Please
@@ -74,6 +77,8 @@ services:
 
 This is the bare minimum configuration required. See the [documentation](https://nginxproxymanager.com/setup/) for more.
 
+**Important:** Mount `./data:/data` so the credential vault, encryption keys, and automation settings persist across container restarts. Optional: set `NPM_SECRETS_ENCRYPTION_KEY` (32+ bytes, base64) to control encryption instead of the auto-generated key under `/data/keys/`.
+
 3. Bring up your stack by running
 
 ```bash

SECURITY.md

@@ -2,8 +2,7 @@
 
 ## Supported Versions
 
-Only the latest stable release receives security updates.
-Older versions are not actively maintained.
+Only the latest stable release receives security updates. Older versions are not actively maintained.
 
 | Version | Supported |
 | ------- | --------- |
@@ -19,12 +18,57 @@ See all releases: https://github.com/NginxProxyManager/nginx-proxy-manager/relea
 **Do NOT open a public GitHub Issue to report a security vulnerability.**
 
 Use GitHub's private vulnerability reporting:
+
 https://github.com/NginxProxyManager/nginx-proxy-manager/security/advisories/new
 
 Please include:
+
 - Affected version (Docker image tag or release)
 - Description of the vulnerability
 - Steps to reproduce
 - Potential impact
 
 Once a fix is available, a public GitHub Security Advisory will be published.
+
+## Dependency and code scanning
+
+Maintainers may use [Snyk](https://snyk.io/) for SCA and SAST. Policy exceptions and documented false positives live in [`.snyk`](.snyk).
+
+Local checks (from repo root):
+
+```bash
+cd frontend && npm ci && npm audit
+cd ../backend && npm ci && npm audit
+cd ../test && npm ci && npm audit
+cd ../docs && npm ci && npm audit
+```
+
+## Known accepted risks
+
+| Item | Mitigation |
+|------|------------|
+| `express-fileupload@1.5.2` (no patched release) | Upload middleware limited in [`backend/app.js`](backend/app.js): `limits.fileSize`, `abortOnLimit`, `safeFileNames`, `preserveExtension`. Documented in `.snyk`. |
+| Bundled docs iframe (`/documentation`) | Only allowlisted `?section=` keys map to VitePress paths under `/docs/`; iframe uses `sandbox`. |
+
+Revisit `.snyk` entries when dependencies ship fixes or when mitigations change.
+
+## Deployment and secrets hygiene
+
+- Mount **`/data`** persistently so encryption keys and the credential vault survive restarts.
+- Prefer **`NPM_SECRETS_ENCRYPTION_KEY`** (32-byte value, base64) in production instead of the auto-generated key under `/data/keys/`.
+- Do not commit SSH keys, vault tokens, or API keys in the repository.
+- Restrict admin port **81** to trusted networks; use strong passwords, 2FA, and scoped **API keys** for automation.
+- Automation tokens (`npmak_…`) are shown once at creation; treat them like passwords.
+
+## Secure development
+
+- Package management uses **npm** and `package-lock.json`.
+- JSON API routes return structured JSON via `res.json()` to avoid accidental HTML reflection.
+- Production error responses do not include stack traces unless debug mode is enabled.
+- OpenAPI operation descriptions are maintained in [`backend/schema/scripts/operation-descriptions.json`](backend/schema/scripts/operation-descriptions.json); regenerate the docs OpenAPI bundle after schema changes ([`docs/README.md`](docs/README.md)).
+
+## Related documentation
+
+- [Automation API](docs/src/advanced/automation-api.md) — API keys, webhooks, credential vault
+- [Advanced configuration](docs/src/advanced-config/index.md) — `/data` volume and encryption
+- In-app help: **Settings** → DNS credentials, external stores, API keys, webhooks (`/settings?tab=…`; `/credentials` redirects to DNS credentials)

backend/app.js

@@ -12,7 +12,14 @@ import mainRoutes from "./routes/main.js";
  * App
  */
 const app = express();
-app.use(fileUpload());
+app.use(
+	fileUpload({
+		limits: { fileSize: 50 * 1024 * 1024 },
+		abortOnLimit: true,
+		safeFileNames: true,
+		preserveExtension: true,
+	}),
+);
 app.use(bodyParser.json());
 app.use(bodyParser.urlencoded({ extended: true }));
 
@@ -71,7 +78,7 @@ app.use((err, req, res, _) => {
 		payload.error.message_i18n = err.message_i18n;
 	}
 
-	if (isDebugMode() || (req.baseUrl + req.path).includes("nginx/certificates")) {
+	if (isDebugMode()) {
 		payload.debug = {
 			stack: typeof err.stack !== "undefined" && err.stack ? err.stack.split("\n") : null,
 			previous: err.previous,
@@ -86,7 +93,7 @@ app.use((err, req, res, _) => {
 		}
 	}
 
-	res.status(err.status || 500).send(payload);
+	res.status(err.status || 500).json(payload);
 });
 
 export default app;

backend/internal/api-key.js

@@ -0,0 +1,120 @@
+import crypto from "node:crypto";
+import bcrypt from "bcrypt";
+import apiKeyModel from "../models/api_key.js";
+import now from "../models/now_helper.js";
+import errs from "../lib/error.js";
+import utils from "../lib/utils.js";
+import internalAuditLog from "./audit-log.js";
+
+const omissions = () => ["is_deleted", "key_hash", "key_prefix"];
+
+const hashApiKey = (rawKey) => bcrypt.hash(rawKey, 13);
+const verifyApiKey = (rawKey, hash) => bcrypt.compare(rawKey, hash);
+
+const internalApiKey = {
+	create: async (access, data) => {
+		await access.can("api_keys:create", data);
+
+		const prefix = crypto.randomBytes(4).toString("hex");
+		const secret = crypto.randomBytes(24).toString("base64url");
+		const rawKey = `npmak_${prefix}_${secret}`;
+		const keyHash = await hashApiKey(rawKey);
+
+		const row = await apiKeyModel.query().insertAndFetch({
+			name: data.name,
+			key_prefix: prefix,
+			key_hash: keyHash,
+			owner_user_id: access.token.getUserId(1),
+			permissions: data.permissions || {},
+			expires_on: data.expires_on || null,
+		});
+
+		const result = utils.omitRow(omissions())(row);
+		result.key = rawKey;
+
+		await internalAuditLog.add(access, {
+			action: "created",
+			object_type: "api-key",
+			object_id: row.id,
+			meta: { name: row.name },
+		});
+
+		return result;
+	},
+
+	getAll: async (access) => {
+		await access.can("api_keys:list");
+		return apiKeyModel
+			.query()
+			.where("is_deleted", 0)
+			.orderBy("name", "ASC")
+			.then(utils.omitRows(omissions()));
+	},
+
+	delete: async (access, data) => {
+		await access.can("api_keys:delete", data.id);
+		const row = await apiKeyModel
+			.query()
+			.where("id", data.id)
+			.andWhere("is_deleted", 0)
+			.first();
+
+		if (!row) {
+			throw new errs.ItemNotFoundError(data.id);
+		}
+
+		await apiKeyModel.query().patchAndFetchById(row.id, { is_revoked: 1, is_deleted: 1 });
+
+		await internalAuditLog.add(access, {
+			action: "deleted",
+			object_type: "api-key",
+			object_id: row.id,
+			meta: { name: row.name },
+		});
+
+		return true;
+	},
+
+	/**
+	 * @param {string} rawKey
+	 */
+	authenticate: async (rawKey) => {
+		if (!rawKey?.startsWith("npmak_")) {
+			throw new errs.AuthError("Invalid API key");
+		}
+
+		const parts = rawKey.split("_");
+		if (parts.length < 3) {
+			throw new errs.AuthError("Invalid API key");
+		}
+
+		const prefix = parts[1];
+		const row = await apiKeyModel
+			.query()
+			.where("key_prefix", prefix)
+			.andWhere("is_deleted", 0)
+			.andWhere("is_revoked", 0)
+			.first();
+
+		if (!row) {
+			throw new errs.AuthError("Invalid API key");
+		}
+
+		if (row.expires_on && new Date(row.expires_on) < new Date()) {
+			throw new errs.AuthError("API key expired");
+		}
+
+		const valid = await verifyApiKey(rawKey, row.key_hash);
+		if (!valid) {
+			throw new errs.AuthError("Invalid API key");
+		}
+
+		await apiKeyModel.query().patchAndFetchById(row.id, {
+			last_used_at: now(),
+		});
+
+		return row;
+	},
+};
+
+export default internalApiKey;

backend/internal/audit-log.js

@@ -1,4 +1,5 @@
 import errs from "../lib/error.js";
+import { scrubAuditMeta } from "../lib/secrets/scrub.js";
 import { castJsonIfNeed } from "../lib/helpers.js";
 import auditLogModel from "../models/audit-log.js";
 
@@ -94,7 +95,7 @@ const internalAuditLog = {
 			action: data.action,
 			object_type: data.object_type || "",
 			object_id: data.object_id || 0,
-			meta: data.meta || {},
+			meta: scrubAuditMeta(data.meta || {}),
 		});
 	},
 };