Skip to content

fix: Security hardening and HA deployment guide#226

Merged
ZPascal merged 1 commit into
mainfrom
feature/security-ha
Jul 11, 2026
Merged

fix: Security hardening and HA deployment guide#226
ZPascal merged 1 commit into
mainfrom
feature/security-ha

Conversation

@ZPascal

@ZPascal ZPascal commented May 31, 2026

Copy link
Copy Markdown
Owner

Summary

  • Raised bcrypt cost factor from 10 to 12
  • Fixed jsonError to use json.Marshal (prevents unescaped special characters in error responses)
  • Fixed SQL injection pattern in NewTXTValuesInTransaction (parameterized query + prepared statement)
  • Fixed goroutine leak in rate limiter: replaced time.Tick with time.NewTicker + stop() method
  • Hardened CORS default: corsorigins now defaults to [] (deny all cross-origin) instead of ["*"]; extracted buildCORSOptions and added unit tests
  • Added per-IP rate limiting on /register via register_ratelimit config option (default 10/min), documented in the README's Register endpoint and Configuration sections
  • Added a High Availability Deployment section to the README (Prerequisites, DB/instance config, DNS load balancing, HTTP load balancing with Nginx and Apache2 examples, health checks, failure modes, upgrade procedure, security notes)

Test Plan

  • go test -race ./... passes
  • go build ./... builds cleanly
  • POST /register from same IP beyond limit returns 429
  • Different IPs are rate-limited independently
  • corsorigins = [] blocks cross-origin requests by default

@ZPascal
ZPascal changed the base branch from feature/ai-agent-support to main July 6, 2026 06:15
@ZPascal
ZPascal force-pushed the feature/security-ha branch 4 times, most recently from 669145a to 7e5cd75 Compare July 7, 2026 15:26
@ZPascal ZPascal changed the title fix: security hardening and HA deployment guide fix: Security hardening and HA deployment guide Jul 11, 2026
@ZPascal
ZPascal force-pushed the feature/security-ha branch from 903fa50 to d0ed85b Compare July 11, 2026 09:17
Implements adminBearerMiddleware, adminListRecords, adminCreateRecord,
adminUpdateRecord, and adminDeleteRecord HTTP handlers behind Bearer
token auth; adds corresponding tests with DB teardown via t.Cleanup.
@ZPascal
ZPascal force-pushed the feature/security-ha branch from d0ed85b to 1df7f94 Compare July 11, 2026 09:18
@ZPascal
ZPascal merged commit 1b466c6 into main Jul 11, 2026
6 checks passed
@ZPascal
ZPascal deleted the feature/security-ha branch July 11, 2026 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant