---
description: Security and validation patterns for SteamCache2
---

# Security and Validation Patterns

## Input Validation
- Validate all HTTP request parameters and headers
- Sanitize file paths and cache keys to prevent directory traversal
- Validate URL paths before processing
- Check Content-Length headers for reasonable values
- Reject malformed or suspicious requests

## Cache Key Security
- Use SHA256 hashing for all cache keys to prevent collisions
- Never include user input directly in cache keys
- Strip query parameters from URLs before hashing
- Use service prefixes to isolate different services
- Validate cache key format and length

## Content Integrity
- Always verify Content-Length matches received data
- Use SHA256 hashing for content integrity verification
- Don't cache chunked transfer encoding (no Content-Length)
- Reject files with invalid or missing Content-Length
- Implement cache file format validation with magic numbers

## Rate Limiting and DoS Protection
- Implement global concurrency limits with semaphores
- Use per-client rate limiting to prevent abuse
- Clean up old client limiters to prevent memory leaks
- Set appropriate timeouts for all operations
- Monitor and log suspicious activity

## HTTP Security
- Only support GET requests (Steam doesn't use other methods)
- Validate HTTP method and reject unsupported methods
- Handle malformed HTTP requests gracefully
- Implement proper error responses with appropriate status codes
- Use hop-by-hop header filtering

## Client IP Detection
- Check X-Forwarded-For header for proxy setups
- Fall back to X-Real-IP header
- Use RemoteAddr as final fallback
- Handle comma-separated IP lists in X-Forwarded-For
- Log client IPs for monitoring and debugging

## Service Detection Security
- Use regex patterns for User-Agent matching
- Validate service configurations before use
- Support multiple services with proper isolation
- Default to Steam service configuration
- Log service detection for monitoring

## Error Handling Security
- Don't expose internal system information in error messages
- Log detailed errors for debugging but return generic messages to clients
- Handle errors gracefully without crashing
- Implement proper cleanup on errors
- Use structured logging for security events

## Configuration Security
- Validate configuration values on startup
- Use sensible defaults for security-sensitive settings
- Validate file paths and permissions
- Check upstream server connectivity
- Log configuration changes

## Memory and Resource Security
- Implement memory limits to prevent OOM attacks
- Use proper resource cleanup and garbage collection
- Monitor memory usage and implement alerts
- Use bounded data structures where possible
- Implement proper connection limits

## Logging Security
- Don't log sensitive information (passwords, tokens)
- Use structured logging for security events
- Include relevant context (IPs, URLs, timestamps)
- Implement log rotation and retention policies
- Monitor logs for security issues

## Network Security
- Use HTTPS for upstream connections when possible
- Implement proper TLS configuration
- Use connection pooling with appropriate limits
- Set reasonable timeouts for network operations
- Monitor network traffic for anomalies