Worth to say, that this is an ongoing development, this is not even version 1, v 0.3.1

No, we didn’t ship it without security hardening.

We already hardened the main sensitive parts:

sealed auth/recovery/reset/flash cookies no auth or recovery secrets in URLs or JSON POST + CSRF logout basic browser security headers CodeQL, gosec, Trivy, and SBOM in CI What’s still missing is a strict CSP. That’s not a one-line switch here because the current frontend still needs some refactoring first.

No-no, you run your VPS and deploy it there. So you define your storage, it can be homeVPS

I agree, though there is a difference in case you rovided and mine. It is a human-directed work. Thousands of libraries, Kubernetes, Kubernetes still live and license is valid.

Thanks for the suggestions, those are good points.

CSP is something I plan to tighten over time, but enabling a strict policy right now would require refactoring some inline JS patterns used in the templates. It’s definitely on the roadmap as part of security hardening.

Regarding CORS, the application currently runs as a same-origin server-rendered app rather than a cross-origin API, so CORS headers aren’t enabled by default. If external clients or integrations are added in the future, I’d likely introduce a restricted allowlist for specific API routes.

I use Android, my wife - iOS. So many things that on F-Droid are simply unavailable to her (yes, I tried to convince her to go to our side). So I searched for living projects with self-hosting idea, did not find one and decided to create one. I have a CS background, though my professional work today is mostly in finance as a senior analyst where I write code to automate and optimize workflows. Ovumcy started as a personal project exploring a self-hosted approach to cycle tracking.

Yes, I’m aware of those apps. They’re great local-first mobile trackers. Ovumcy explores a slightly different approach - a self-hosted web app that can run on infrastructure you control and be accessed from multiple devices.

I see that we face it all over the world now.

As a non-native speaker, I had to use LLM to get that joke)

It is a greap project, mine is not a replacement, but a little bit different approach. It’s a self-hosted web application that you run on infrastructure you control and access from multiple devices. In Drip you can export or import data, but this step is a payment for privacy. Mine offers privacy but from a different perspective.

You can see that I use some of metrics, like test coverage, estimates and so on to prove its validation as potentially serious project, that will grow from a pet one.

Partially agree, but I do know how to code and use it as a tool.

Appreciate that!

Ovumcy isn’t trying to replace them. The idea here is to explore a self-hosted, web-based approach that focuses on running the app on infrastructure you control, with simple deployment and cross-device access through the browser.

Different tools optimize for different things. Native apps like Drip or Mensinator are great for fully local tracking, while Ovumcy explores a self-hosted model that can be accessed from multiple devices without relying on a third-party service.

I answered earlier, that I use AI and this is just a commit skill for an agent.

Well, not stealing, being inspired)

The benefit over a purely local app is mainly cross-device access and easier syncing/backups, while still avoiding a third-party service storing your data.

I do use AI tools while developing this project, but I also have a BSc in Computer Science. AI is a productivity tool.

Security is something I take seriously, especially since the project deals with health data. All code has test and you’re welcome to inspect the repository yourself or point out any specific security concerns if you notice them.

Regarding licensing: the AGPL license applies to the project as a whole regardless of the tools used to write parts of the code.

If you have concrete technical feedback or security issues, I’d genuinely appreciate it.

I like the naming:) and is there any chance to restore access to your account? It looks like it might have a future.

deleted by creator