mycelium/www_migrate_mycelium
31
0
Fork 0
Code Issues 1 Pull requests Projects Releases 7 Packages 1 Wiki Activity Actions

Security hardening: CORS, error sanitization, rate limiting, input validation #38

Merged
mik-tf merged 3 commits from development_security_hardening into development 2026-03-02 03:53:57 +00:00
Conversation 0 Commits 3 Files changed 10 +469 -127
mik-tf commented 2026-03-02 03:21:00 +00:00
Member
Copy link

Closes #32 #37

Summary

  • CORS: Restrict to known origins via PORTAL_ALLOWED_ORIGINS env var
  • Error sanitization: Generic client messages, real errors logged via tracing
  • Pending session cap: MAX_PENDING = 10,000
  • Signer verification: Submit endpoints verify signer matches prepare
  • Float precision: tft_to_planck uses .round()
  • Farm IDs validation: Parse as Vec, max 100
  • RPC timeouts: 30s read, 120s finalization
  • Body size limit: 4KB max
  • Security headers: HSTS, CSP, X-Frame-Options via Caddy
  • Docker port binding: 127.0.0.1 only
  • Gateway URL: HTTP to HTTPS default

Test plan

  • cargo build + check compiles
  • cargo test passes (14 tests)
  • Deploy to staging and run smoke tests
  • Verify CORS rejects unknown origins
  • Verify security headers present
Closes #32 #37 ## Summary - **CORS**: Restrict to known origins via PORTAL_ALLOWED_ORIGINS env var - **Error sanitization**: Generic client messages, real errors logged via tracing - **Pending session cap**: MAX_PENDING = 10,000 - **Signer verification**: Submit endpoints verify signer matches prepare - **Float precision**: tft_to_planck uses .round() - **Farm IDs validation**: Parse as Vec<u32>, max 100 - **RPC timeouts**: 30s read, 120s finalization - **Body size limit**: 4KB max - **Security headers**: HSTS, CSP, X-Frame-Options via Caddy - **Docker port binding**: 127.0.0.1 only - **Gateway URL**: HTTP to HTTPS default ## Test plan - [x] cargo build + check compiles - [x] cargo test passes (14 tests) - [ ] Deploy to staging and run smoke tests - [ ] Verify CORS rejects unknown origins - [ ] Verify security headers present
security: harden backend and deploy configuration
Some checks failed
Test / check (pull_request) Failing after 1m27s
Details
a463b408e7 
Restrict CORS to known origins, sanitize all error messages,
add pending session cap, signer verification on submit,
float precision fix, farm_ids validation, RPC timeouts,
body size limit, Caddy security headers, and Docker port binding.

Closes #37

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
test: add security smoke tests, CI smoke test step, Makefile targets
Some checks failed
Test / check (pull_request) Failing after 1m21s
Details
fd8366bdb6 
Add security-smoke-test.sh covering CORS rejection, error sanitization,
body size limits, signer verification, and farm_ids validation.
Wire into CI via live backend smoke test step, and add Makefile targets
for security-smoke-test and run-smoke-tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
style: fix rustfmt formatting
All checks were successful
Test / check (pull_request) Successful in 2m50s
Details
28c83d9bb0 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
mik-tf changed title from WIP: Security hardening: CORS, error sanitization, rate limiting, input validation to Security hardening: CORS, error sanitization, rate limiting, input validation 2026-03-02 03:53:51 +00:00
mik-tf merged commit 2f05286da8 into development 2026-03-02 03:53:57 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
mycelium/www_migrate_mycelium!38
No description provided.