Harden HTTP defaults and proxy header trust.

Add explicit server timeout/header limits, require trusted proxy CIDRs when honoring forwarded IP headers, and document single-instance storage expectations.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
2026-05-31 21:09:00 -05:00
parent dbf112a5b7
commit dbb72da312
7 changed files with 246 additions and 27 deletions
+7 -2
View File
@@ -59,8 +59,13 @@ func run(configPath string) error {
go cleanupWorker.Start(ctx)
httpServer := &http.Server{
Addr: cfg.Server.ListenAddr,
Handler: server.Routes(),
Addr: cfg.Server.ListenAddr,
Handler: server.Routes(),
ReadHeaderTimeout: cfg.Server.ReadHeaderTimeoutDur,
ReadTimeout: cfg.Server.ReadTimeoutDur,
WriteTimeout: cfg.Server.WriteTimeoutDur,
IdleTimeout: cfg.Server.IdleTimeoutDur,
MaxHeaderBytes: cfg.Server.MaxHeaderBytes,
}
go func() {