s1d3sw1ped/steamcache2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 19 Wiki Activity
Files
3703e40442e8d2423d25f05aabed9d5c8b1d7673
steamcache2/.cursor/rules/security-validation-patterns.mdc
Justin Harms 3703e40442 Add comprehensive documentation for caching, configuration, development, and security patterns 
- Introduced multiple new markdown files detailing caching patterns, configuration management, development workflows, Go language conventions, HTTP proxy patterns, logging and monitoring practices, performance optimization guidelines, project structure, security validation, and VFS architecture.
- Each document outlines best practices, patterns, and guidelines to enhance the understanding and implementation of various components within the SteamCache2 project.
- This documentation aims to improve maintainability, facilitate onboarding for new contributors, and ensure consistent application of coding and architectural standards across the codebase.
2025-09-22 17:29:26 -05:00

89 lines
3.2 KiB
Plaintext
Raw Blame History

---
description: Security and validation patterns for SteamCache2
---
# Security and Validation Patterns
## Input Validation
- Validate all HTTP request parameters and headers
- Sanitize file paths and cache keys to prevent directory traversal
- Validate URL paths before processing
- Check Content-Length headers for reasonable values
- Reject malformed or suspicious requests
## Cache Key Security
- Use SHA256 hashing for all cache keys to prevent collisions
- Never include user input directly in cache keys
- Strip query parameters from URLs before hashing
- Use service prefixes to isolate different services
- Validate cache key format and length
## Content Integrity
- Always verify Content-Length matches received data
- Use SHA256 hashing for content integrity verification
- Don't cache chunked transfer encoding (no Content-Length)
- Reject files with invalid or missing Content-Length
- Implement cache file format validation with magic numbers
## Rate Limiting and DoS Protection
- Implement global concurrency limits with semaphores
- Use per-client rate limiting to prevent abuse
- Clean up old client limiters to prevent memory leaks
- Set appropriate timeouts for all operations
- Monitor and log suspicious activity
## HTTP Security
- Only support GET requests (Steam doesn't use other methods)
- Validate HTTP method and reject unsupported methods
- Handle malformed HTTP requests gracefully
- Implement proper error responses with appropriate status codes
- Use hop-by-hop header filtering
## Client IP Detection
- Check X-Forwarded-For header for proxy setups
- Fall back to X-Real-IP header
- Use RemoteAddr as final fallback
- Handle comma-separated IP lists in X-Forwarded-For
- Log client IPs for monitoring and debugging
## Service Detection Security
- Use regex patterns for User-Agent matching
- Validate service configurations before use
- Support multiple services with proper isolation
- Default to Steam service configuration
- Log service detection for monitoring
## Error Handling Security
- Don't expose internal system information in error messages
- Log detailed errors for debugging but return generic messages to clients
- Handle errors gracefully without crashing
- Implement proper cleanup on errors
- Use structured logging for security events
## Configuration Security
- Validate configuration values on startup
- Use sensible defaults for security-sensitive settings
- Validate file paths and permissions
- Check upstream server connectivity
- Log configuration changes
## Memory and Resource Security
- Implement memory limits to prevent OOM attacks
- Use proper resource cleanup and garbage collection
- Monitor memory usage and implement alerts
- Use bounded data structures where possible
- Implement proper connection limits
## Logging Security
- Don't log sensitive information (passwords, tokens)
- Use structured logging for security events
- Include relevant context (IPs, URLs, timestamps)
- Implement log rotation and retention policies
- Monitor logs for security issues
## Network Security
- Use HTTPS for upstream connections when possible
- Implement proper TLS configuration
- Use connection pooling with appropriate limits
- Set reasonable timeouts for network operations
- Monitor network traffic for anomalies
Reference in New Issue View Git Blame Copy Permalink