Skip to content

Commit d7e68ea

Browse files
committed
Prepare 1.0.1 security hardening
1 parent c0c862b commit d7e68ea

7 files changed

Lines changed: 180 additions & 27 deletions

File tree

.cargo/audit.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,5 +5,5 @@ fetch = true
55
stale = false
66

77
[yanked]
8-
enabled = false
9-
update_index = false
8+
enabled = true
9+
update_index = true

Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "hashavatar-api"
3-
version = "1.0.0"
3+
version = "1.0.1"
44
edition = "2024"
55
rust-version = "1.96"
66
description = "Public avatar API and landing page for hashavatar"

Cargo.toml.split-template

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "hashavatar-api"
3-
version = "1.0.0"
3+
version = "1.0.1"
44
edition = "2024"
55
rust-version = "1.96"
66
description = "Public avatar API and landing page for hashavatar"

README.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ audit, SBOM, reproducibility, smoke, and GitHub CodeQL default setup checks.
1111

1212
## Current Status
1313

14-
The current service version is `1.0.0`.
14+
The current service version is `1.0.1`.
1515

1616
Implemented now:
1717

@@ -213,11 +213,17 @@ Object storage:
213213
- `HASHAVATAR_S3_ENDPOINT`
214214
- `HASHAVATAR_S3_PATH_STYLE`
215215
- `HASHAVATAR_S3_PREFIX`
216-
- `HASHAVATAR_S3_PRESIGN_TTL_SECONDS`
216+
- `HASHAVATAR_S3_PRESIGN_TTL_SECONDS` clamped to `60..=604800`
217217

218218
`HASHAVATAR_TRUSTED_PROXIES` accepts a comma or whitespace separated list of IP
219219
addresses and CIDR ranges. Forwarded client IP headers are ignored unless the
220-
direct peer address matches this allowlist.
220+
direct peer address matches this allowlist. Keep this allowlist limited to
221+
proxies that overwrite or correctly append client IP headers; rate-limit state
222+
is intentionally sized for the real client IP space of the deployment.
223+
224+
Do not proxy `/metrics` from a public listener. The endpoint is intended for
225+
local scraping only; a same-host reverse proxy can make the loopback peer check
226+
pass if it forwards the route.
221227

222228
## Testing And Release Evidence
223229

deploy/README.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,11 @@ The app uses the direct peer IP for rate limiting by default. The compose file
1414
sets `HASHAVATAR_TRUSTED_PROXIES=10.89.42.0/24` and pins the private network to
1515
that subnet so the app only honors `X-Forwarded-For` style headers from the
1616
Fluxheim network. Do not expose the app container port directly to the internet.
17+
Keep this trusted-proxy range aligned with the private proxy network; widening it
18+
can let untrusted peers inflate rate-limit key cardinality.
19+
Do not add a Fluxheim route for `/metrics`: the application also checks for a
20+
loopback peer, but a same-host reverse proxy connects from loopback and would
21+
make metrics public if explicitly forwarded.
1722

1823
The app container is hardened for the expected runtime shape: read-only root
1924
filesystem, no new privileges, all Linux capabilities dropped, and a small

0 commit comments

Comments
 (0)