Documentation
¶
Overview ¶
Package middleware provides HTTP middleware, including per-IP rate limiting.
Package middleware provides HTTP middleware, including per-IP rate limiting.
Package middleware provides HTTP middleware, including per-IP rate limiting.
Index ¶
- func CORS(config CORSConfig) func(http.Handler) http.Handler
- func CSRFProtection(disabled bool) func(http.Handler) http.Handler
- func IsOriginAllowed(origin string, allowedOrigins []string) bool
- func MaxStorageCheck(sharedDir string, maxBytes int64) func(http.Handler) http.Handler
- func ParseTrustedProxies(raw string) []*net.IPNet
- func SecurityHeaders(enableHSTS bool, disableCSP bool) func(http.Handler) http.Handler
- type CORSConfig
- type RateLimiter
- type RateLimiterConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CORS ¶
func CORS(config CORSConfig) func(http.Handler) http.Handler
CORS middleware handles Cross-Origin Resource Sharing
func CSRFProtection ¶ added in v0.2.0
CSRFProtection implements the double-submit cookie pattern for CSRF protection. It sets a non-HttpOnly cookie with a random token, and requires state-changing requests to include that token in the X-CSRF-Token header. Safe methods (GET, HEAD, OPTIONS) are exempt. Requests with non-browser content types or API auth headers are exempt. When disabled is true, all requests pass through without CSRF validation.
func IsOriginAllowed ¶
IsOriginAllowed checks if an origin is in the allowed list
func MaxStorageCheck ¶ added in v0.2.0
MaxStorageCheck rejects write requests when usage exceeds maxBytes. If maxBytes is 0, the check is disabled (unlimited storage).
func ParseTrustedProxies ¶ added in v0.2.0
ParseTrustedProxies parses a comma-separated list of IPs/CIDRs into net.IPNet entries.
Types ¶
type CORSConfig ¶
type CORSConfig struct {
// AllowedOrigins is a list of origins allowed for CORS
// If empty, CORS is disabled (most secure for local file sharing)
AllowedOrigins []string
// AllowCredentials indicates whether credentials are allowed
AllowCredentials bool
}
CORSConfig holds CORS configuration
func DefaultCORSConfig ¶
func DefaultCORSConfig() CORSConfig
DefaultCORSConfig returns a secure default CORS configuration By default, CORS is disabled for security
type RateLimiter ¶
type RateLimiter struct {
// contains filtered or unexported fields
}
RateLimiter enforces per-IP, per-tier rate limits.
func NewRateLimiter ¶
func NewRateLimiter(cfg RateLimiterConfig) *RateLimiter
NewRateLimiter creates a RateLimiter and starts a background goroutine that evicts stale entries every 5 minutes.
func (*RateLimiter) Close ¶
func (rl *RateLimiter) Close()
Close stops the background cleanup goroutine.
func (*RateLimiter) Middleware ¶
func (rl *RateLimiter) Middleware(next http.Handler) http.Handler
Middleware returns an http.Handler middleware that enforces rate limits.
type RateLimiterConfig ¶
type RateLimiterConfig struct {
// General rate: requests per minute for normal endpoints.
GeneralRate int
// AuthRate: requests per minute for auth endpoints (e.g. /auth/login).
AuthRate int
// UploadRate: requests per minute for upload endpoints.
UploadRate int
// Enabled can be set to false to skip rate limiting entirely.
Enabled bool
// TrustedProxies is a list of trusted proxy IPs/CIDRs.
// Only trust X-Forwarded-For/X-Real-IP from these sources.
TrustedProxies []*net.IPNet
}
RateLimiterConfig holds the rates for different endpoint tiers.
func DefaultRateLimiterConfig ¶
func DefaultRateLimiterConfig() RateLimiterConfig
DefaultRateLimiterConfig returns sensible defaults.
Source Files