You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/SECURITY_CONTROLS.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,12 +7,12 @@ local test and release gates.
7
7
8
8
| Risk | Control |
9
9
| --- | --- |
10
-
| Unbounded or expensive rate-limit state | The rate limiter uses bounded `LruCache` storage for O(1) LRU updates, 65,536 buckets, and regression tests for unique attacker keys. Avatar generation routes, including `/og.png`, pass through origin-side rate limits. |
10
+
| Unbounded or expensive rate-limit state | The rate limiter uses bounded `LruCache` storage for O(1) LRU updates, 65,536 buckets, and regression tests for unique attacker keys. CPU-bound avatar and Open Graph rendering run through `spawn_blocking` with timeouts, and all avatar generation routes pass through origin-side rate limits. |
11
11
| Forwarded-header spoofing |`X-Forwarded-For`, `X-Real-IP`, and `CF-Connecting-IP` are honored only when the direct peer is a configured trusted proxy; `X-Forwarded-For` chains are resolved from the rightmost untrusted address. |
12
12
| Verbose internal errors | Internal errors are logged with `tracing`; clients receive a generic static 500 body. |
13
-
| Browser-side content confusion | Responses receive CSP, `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `Permissions-Policy`, `Cross-Origin-Resource-Policy`, and HTML-only `Cross-Origin-Opener-Policy` and `Strict-Transport-Security` headers. |
13
+
| Browser-side content confusion | Responses receive CSP, `Strict-Transport-Security`, `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `Permissions-Policy`, and `Cross-Origin-Resource-Policy`; HTML responses also receive `Cross-Origin-Opener-Policy`. |
14
14
| Operational intelligence disclosure |`/metrics` is loopback-only and returns `404` to non-local peers; `/healthz` remains public for load balancers and uptime checks but only returns liveness status. |
15
-
| Object-storage metadata disclosure | Standard avatar responses do not expose presigned URLs or object keys in headers. `/v1/avatar/link` is the explicit JSON endpoint for signed-link metadata. |
15
+
| Object-storage metadata disclosure | Standard avatar responses do not expose presigned URLs or object keys in headers. `/v1/avatar/link` is the explicit JSON endpoint for signed-link metadata and returns a hashed cache key rather than the raw identity-bearing cache key. Direct avatar requests with `persist=true` use the same stricter storage rate limit as signed-link requests. |
16
16
| S3 prefix escaping | Tenant and style-version namespaces are limited to ASCII letters, digits, hyphens, and underscores before object keys are built. |
17
17
| Oversized avatar namespace or identity input | The service caps identities at 512 bytes and namespace components at 64 bytes before rendering. |
18
18
| Reflected error content | Client-facing `400` responses use static validation messages for parser and renderer errors instead of forwarding raw library error strings. |
0 commit comments