Security: Committed private keys in `uWebSockets/misc` trigger compliance failures

[segor]

Problem

During a security audit of our dependencies, we identified committed private keys in the repository:

• uWebSockets/misc/cert.pem
• uWebSockets/misc/key.pem

While we understand these are likely used for testing and tooling, committing secrets to version control triggers high-severity alerts in enterprise compliance scanners (e.g., TruffleHog, GitHub Secret Scanning) and violates modern security protocols.

Supporting Standards

• OWASP: The Secrets Management Cheat Sheet explicitly states that secrets should never be stored in version control.
• NIST SP 800-57: Outlines strict requirements for protecting private keys to maintain the integrity of a system's security posture.

Suggested Resolution

We recommend removing these static files from the repository and instead generating them dynamically during the test or build bootstrap phase.

This would resolve compliance flags for all downstream users and align the library with "Secure by Design" industry standards.

Thank you for your work on this library!

[uNetworkingAB]

All examples rely on those self signed certs for a "hit the ground running" experience. I rather trade bureaucratic red tape compliance for a hit the ground running experience. Also, nobody has flagged this for 10+ years.

Fixing this would introduce dependency on openssl CLI, and scripts that can fail for users. It's a bad trade.

Unless you can point towards a gigantic user that MUST remove them, I don't like the proposed trade.

[segor]

Sure, it is up to you decide. We will remove them from our copy of this repo then.

[uNetworkingAB]

It's not a bad idea, I will keep it in mind, esp. if more raise the issue. Generally I don't act on only 1 report when it's a minor thing like this and I don't want to mess around with build scripts right now