Kiterepo · pull · May 18, 2026 · May 18, 2026 · May 18, 2026 · May 18, 2026
diff --git a/docs/http-api/index.rst b/docs/http-api/index.rst
@@ -26,8 +26,9 @@ The following webserver related configuration items are available:
 
 .. warning::
 
-   To achieve defense-in-depth, expose the webserver only to client addresses that have a real need for access.
+   To achieve defense-in-depth, expose the webserver only to client addresses that have a real need for access, and configure a webserver password.
    Network access is configured by setting :ref:`setting-webserver-address` and :ref:`setting-webserver-allow-from`.
+   Password protection is configured by setting :ref:`setting-webserver-password`.
 
 
 Metrics Endpoint

diff --git a/docs/settings.rst b/docs/settings.rst
@@ -2138,6 +2138,28 @@ IP Address for webserver/API to listen on.
 Webserver/API access is only allowed from these subnets.
 Ignored if ``webserver-address`` is set to a UNIX domain socket.
 
+.. _setting-webserver-connection-timeout:
+
+``webserver-connection-timeout``
+--------------------------------
+.. versionadded:: 4.8.5
+
+-  Integer
+-  Default: 5
+
+Request/response timeout in seconds.
+
+.. _setting-webserver-cross-origin-request-header:
+
+``webserver-cross-origin-request-header``
+-----------------------------------------
+.. versionadded:: 5.1.0
+
+-  String
+-  Default: empty
+
+The value if the access-control-allow-origin HTTP header to include. This header is not included if the value is empty.
+
 .. _setting-webserver-hash-plaintext-credentials:
 
 ``webserver-hash-plaintext-credentials``
@@ -2212,17 +2234,6 @@ Maximum request/response body size in megabytes.
 
 Maximum number of allowed concurrent connections to the web server.
 
-.. _setting-webserver-connection-timeout:
-
-``webserver-connection-timeout``
---------------------------------
-.. versionadded:: 4.8.5
-
--  Integer
--  Default: 5
-
-Request/response timeout in seconds.
-
 .. _setting-webserver-password:
 
 ``webserver-password``
@@ -2255,17 +2266,6 @@ Ignored if ``webserver-address`` is set to a UNIX domain socket.
 
 If the webserver should print arguments.
 
-.. _setting-webserver-cross-origin-request-header:
-
-``webserver-cross-origin-request-header``
------------------------------------------
-.. versionadded:: 5.1.0
-
--  String
--  Default: empty
-
-The value if the access-control-allow-origin HTTP header to include. This header is not included if the value is empty.
-
 .. _setting-write-pid:
 
 ``write-pid``

diff --git a/modules/bindbackend/binddnssec.cc b/modules/bindbackend/binddnssec.cc
@@ -384,7 +384,7 @@ bool Bind2Backend::addDomainKey(const ZoneName& name, const KeyData& key, int64_
     SSqlStatement::row_t row;
     d_GetLastInsertedKeyIdQuery_stmt->nextRow(row);
     ASSERT_ROW_COLUMNS("get-last-inserted-key-id-query", row, 1);
-    keyId = std::stoi(row[0]);
+    pdns::checked_stoi_into(keyId, row[0]);
     d_GetLastInsertedKeyIdQuery_stmt->reset();
     if (keyId == 0) {
       // No insert took place, report as error.

diff --git a/modules/pipebackend/pipebackend.cc b/modules/pipebackend/pipebackend.cc
@@ -320,7 +320,7 @@ bool PipeBackend::get(DNSResourceRecord& r)
         }
 
         if (d_abiVersion >= 3) {
-          r.scopeMask = std::stoi(parts[1]);
+          pdns::checked_stoi_into(r.scopeMask, parts[1]);
           r.auth = (parts[2] == "1");
           parts.erase(parts.begin() + 1, parts.begin() + 3);
         }

diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
@@ -1066,7 +1066,7 @@ bool GSQLBackend::addDomainKey(const ZoneName& name, const KeyData& key, int64_t
     if (d_AddDomainKeyQuery_stmt->hasNextRow()) {
       SSqlStatement::row_t row;
       d_AddDomainKeyQuery_stmt->nextRow(row);
-      keyId = std::stoi(row[0]);
+      pdns::checked_stoi_into(keyId, row[0]);
       d_AddDomainKeyQuery_stmt->reset();
       return true;
     } else {
@@ -1088,7 +1088,7 @@ bool GSQLBackend::addDomainKey(const ZoneName& name, const KeyData& key, int64_t
     SSqlStatement::row_t row;
     d_GetLastInsertedKeyIdQuery_stmt->nextRow(row);
     ASSERT_ROW_COLUMNS("get-last-inserted-key-id-query", row, 1);
-    keyId = std::stoi(row[0]);
+    pdns::checked_stoi_into(keyId, row[0]);
     d_GetLastInsertedKeyIdQuery_stmt->reset();
     if (keyId == 0) {
       // No insert took place, report as error.

diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
@@ -343,7 +343,7 @@ static map<string, string> ISCStringtoMap(const string& argStr)
       continue;
     }
     if (pdns_iequals(key,"slot")) {
-      int slot = std::stoi(value);
+      auto slot = pdns::checked_stoi<int>(value);
       stormap["slot"]=std::to_string(slot);
       continue;
     }

diff --git a/pdns/json.cc b/pdns/json.cc
@@ -37,7 +37,7 @@ static inline int intFromJsonInternal(const Json& container, const std::string&
 
   if (val.is_string()) {
     try {
-      return std::stoi(val.string_value());
+      return pdns::checked_stoi<int>(val.string_value());
     } catch (std::logic_error&) {
       throw JsonException("Key '" + string(key) + "' is not a valid number");
     }

diff --git a/pdns/minicurl.cc b/pdns/minicurl.cc
@@ -136,10 +136,8 @@ void MiniCurl::setupURL(const std::string& str, const ComboAddress* rem, const C
     std::size_t found = host4.find(':');
     vector<uint16_t> ports{80, 443};
     if (found != std::string::npos) {
-      int port = std::stoi(host4.substr(found + 1));
-      if (port <= 0 || port > 65535)
-        throw std::overflow_error("Invalid port number");
-      ports = {(uint16_t)port};
+      auto port = pdns::checked_stoi<uint16_t>(host4.substr(found + 1));
+      ports = {port};
       host4 = host4.substr(0, found);
     }
 

diff --git a/pdns/pkcs11signers.cc b/pdns/pkcs11signers.cc
@@ -723,7 +723,7 @@ CK_RV Pkcs11Slot::HuntSlot(Logr::log_t slog, const string& tokenId, CK_SLOT_ID &
 
   // see if we can find it with slotId
   try {
-    slotId = std::stoi(tokenId);
+    pdns::checked_stoi_into(slotId, tokenId);
     if ((err = functions->C_GetSlotInfo(slotId, info))) {
       SLOG(g_log<<Logger::Warning<<"C_GetSlotInfo("<<slotId<<", info) = " << err << std::endl,
            slog->info(Logr::Warning, "C_GetSlotInfo failed", "slotId", Logging::Loggable(slotId), "errorcode", Logging::Loggable(err)));

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
@@ -1352,7 +1352,7 @@ static inline int getInquireKeyId(HttpRequest* req, const ZoneName& zonename, DN
 {
   int inquireKeyId = -1;
   if (req->parameters.count("key_id") == 1) {
-    inquireKeyId = std::stoi(req->parameters["key_id"]);
+    pdns::checked_stoi_into(inquireKeyId, req->parameters["key_id"]);
     apiZoneCryptoKeysCheckKeyExists(zonename, inquireKeyId, dnsseckeeper);
   }
   return inquireKeyId;
@@ -2906,7 +2906,12 @@ static void apiServerSearchData(HttpRequest* req, HttpResponse* resp)
     throw ApiException("Query q can't be blank");
   }
   if (!sMaxVar.empty()) {
-    maxEnts = std::stoi(sMaxVar);
+    try {
+      pdns::checked_stoi_into(maxEnts, sMaxVar);
+    }
+    catch (std::logic_error&) {
+      throw ApiException("Invalid value for maximum entries");
+    }
   }
   if (maxEnts < 1) {
     throw ApiException("Maximum entries must be larger than 0");