Skip to content

improve baseline HTTP security for no-reverse proxy deployment scenarios#282

Merged
wojcik91 merged 18 commits intorelease/2.0from
http_security
Apr 23, 2026
Merged

improve baseline HTTP security for no-reverse proxy deployment scenarios#282
wojcik91 merged 18 commits intorelease/2.0from
http_security

Conversation

@wojcik91
Copy link
Copy Markdown
Contributor

@wojcik91 wojcik91 commented Apr 23, 2026
edited
Loading

  • added baseline security headers
  • HSTS only sent when running with TLS
  • added request body size limit
  • added request timeout
  • enable rate limiter by default
  • added Cache-Control: no-store for API routes

Resolves https://github.com/DefGuard/internal/issues/66

@wojcik91 wojcik91 self-assigned this Apr 23, 2026
@wojcik91 wojcik91 requested a review from Copilot April 23, 2026 06:16
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the proxy’s default HTTP posture for deployments that aren’t protected by a reverse proxy, aligning with internal issue #66 by adding baseline response headers and safer defaults.

Changes:

  • Add a global security-headers middleware (incl. conditional HSTS when TLS is active).
  • Introduce a global request timeout and request body size limit.
  • Harden enrollment/password-reset cookies (HttpOnly, SameSite, scoped Path) and enable rate limiting by default via config defaults.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/http.rs Adds security headers middleware, request timeout, request body limit, and tracks whether TLS is active.
src/handlers/password_reset.rs Improves password reset cookie attributes and removes an unwrap() on timestamp conversion.
src/handlers/enrollment.rs Improves enrollment cookie attributes and removes an unwrap() on timestamp conversion.
src/config.rs Changes rate-limiter defaults from disabled (0) to enabled (10/s, burst 100).
Cargo.toml Enables tower-http’s timeout feature to support the new TimeoutLayer.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/http.rs
Comment thread src/handlers/password_reset.rs
Comment thread src/handlers/enrollment.rs
Comment thread src/config.rs
@wojcik91 wojcik91 marked this pull request as ready for review April 23, 2026 09:42
@wojcik91 wojcik91 merged commit 6dbd577 into release/2.0 Apr 23, 2026
3 checks passed
@wojcik91 wojcik91 deleted the http_security branch April 23, 2026 13:04
@wojcik91 wojcik91 mentioned this pull request Apr 23, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@j-chmielewski j-chmielewski j-chmielewski approved these changes

Assignees

@wojcik91 wojcik91

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wojcik91 @j-chmielewski