I agree with you, therefore I also need contributors for that. It is difficult to run this on my own, as I have basic in coding, but not a tester, so I have to use agentic workflow to check after it was generated, so it is not just like hiding sh*t.
sealed auth/recovery/reset/flash cookies
no auth or recovery secrets in URLs or JSON
POST + CSRF logout
basic browser security headers
CodeQL, gosec, Trivy, and SBOM in CI
What’s still missing is a strict CSP. That’s not a one-line switch here because the current frontend still needs some refactoring first.
I agree, though there is a difference in case you rovided and mine. It is a human-directed work. Thousands of libraries, Kubernetes, Kubernetes still live and license is valid.
Thanks for the suggestions, those are good points.
CSP is something I plan to tighten over time, but enabling a strict policy right now would require refactoring some inline JS patterns used in the templates. It’s definitely on the roadmap as part of security hardening.
Regarding CORS, the application currently runs as a same-origin server-rendered app rather than a cross-origin API, so CORS headers aren’t enabled by default. If external clients or integrations are added in the future, I’d likely introduce a restricted allowlist for specific API routes.
I use Android, my wife - iOS. So many things that on F-Droid are simply unavailable to her (yes, I tried to convince her to go to our side). So I searched for living projects with self-hosting idea, did not find one and decided to create one. I have a CS background, though my professional work today is mostly in finance as a senior analyst where I write code to automate and optimize workflows. Ovumcy started as a personal project exploring a self-hosted approach to cycle tracking.
Yes, I’m aware of those apps. They’re great local-first mobile trackers. Ovumcy explores a slightly different approach - a self-hosted web app that can run on infrastructure you control and be accessed from multiple devices.
It is a greap project, mine is not a replacement, but a little bit different approach. It's a self-hosted web application that you run on infrastructure you control and access from multiple devices. In Drip you can export or import data, but this step is a payment for privacy. Mine offers privacy but from a different perspective.
You can see that I use some of metrics, like test coverage, estimates and so on to prove its validation as potentially serious project, that will grow from a pet one.
Spanish released