Skip to content

Commit a930fc1

Browse files
committed
Fix security and robustness issues in nice-url feature
Security fixes: - Fix #1: Race condition in register_or_update_for_deployment - now uses atomic database transaction to prevent subdomain loss on failed updates - Fix #2: Information disclosure - reserved subdomains now return generic "not available" message to prevent enumeration attacks - Fix #3: API rate limiter - added per-IP secondary limit that cannot be bypassed by rotating browser fingerprints - Fix #4: Rate limiter emergency purge - now uses gradual purge that only removes stale entries (>60s old) instead of arbitrary half, preventing attackers from evicting legitimate users Additional improvements: - Added new client rate limiting to detect identifier flooding attacks - Updated frontend error code translations for consistent generic messages - Updated tests to reflect new generic error messages
1 parent 30d956b commit a930fc1

5 files changed

Lines changed: 553 additions & 108 deletions

File tree

0 commit comments

Comments
 (0)