haitham/claw3d
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: harden gateway proxy, custom runtime proxy, and media routes (#95)

Browse Source 
* security hardening pass 1 - otel removed

* hardening pass #2

* feat security hardening pass

* chore: trim unrelated docs from security hardening pr

* fix: address security hardening review findings

* address findings
This commit is contained in:
gsknnft
2026-04-03 18:02:06 -04:00
committed by GitHub
parent 083c146aac
commit 051d0ce469
14 changed files with 572 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SECURITY_HARDENING.md
+51
View File
@@ -0,0 +1,51 @@
# Security Hardening
Changes applied to the upstream Claw3D codebase for production use.
## Critical Fixes
### 1. Telemetry Removed
- `@vercel/otel` dependency removed from package.json
- `src/instrumentation.ts` replaced with no-op
- No data is sent to Vercel or any external telemetry service
### 2. Constant-Time Token Comparison
- `server/access-gate.js` now uses `crypto.timingSafeEqual()` for
token validation, preventing timing attacks
### 3. Auth Rate Limiting
- In-memory rate limiter added to access gate for failed auth attempts
only (10 failures per IP per 60 seconds)
- Prevents brute-force token guessing
### 4. WebSocket Frame Validation
- Maximum frame size: 256 KB (prevents resource exhaustion)
- Per-connection rate limit: 30 frames/second
- Connections closed on violation
### 5. Upstream URL Allowlist
- `UPSTREAM_ALLOWLIST` env var restricts which gateway hosts the
WebSocket proxy can connect to
- Prevents DNS hijacking or SSRF through the proxy
- Required in production; empty allowlist is permitted in dev only
### 6. Custom Runtime Proxy Allowlist
- `/api/runtime/custom` now enforces `CUSTOM_RUNTIME_ALLOWLIST`
- Falls back to `UPSTREAM_ALLOWLIST` if no custom-specific allowlist is set
- Required in production; empty allowlist is permitted in dev only
### 7. Security Headers
- Baseline response headers now set from `next.config.ts`
- Includes CSP, `X-Content-Type-Options`, `Referrer-Policy`,
`Permissions-Policy`, and cross-origin isolation headers
### 8. Media Route Symlink Rejection
- `/api/gateway/media` now rejects symlinked local files
- Realpath is verified inside the allowed root before reading bytes
## Remaining Items (Phase 2)
- Encrypt gateway tokens at rest
- Add Zod schema validation for all API inputs
- Implement secure cookie flags (HttpOnly, Secure, SameSite)
- Sanitize error messages before sending to clients