security: red-team audit hardening#7
Merged
Conversation
…luster, ops - Harden client IP extraction against X-Forwarded-For spoofing - Sanitize upstream proxy headers (hop-by-hop, auth, X-Forwarded-*) - Enforce JWT exp claim and minimum HMAC key length - Secure load balancer health checks and sticky sessions - Remove committed TLS private key from working tree; add .gitignore rules - Prevent prototype pollution via safe config merging - Apply TLS hardening options to Bun.serve - Update CI and docs with security hardening - Align tests with new secure defaults; 802/802 tests pass
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…l certificate - Update ClusterConfig reference with allowedEnvVars and workerScriptAllowlist - Update HealthCheckConfig reference with failure/success thresholds, allowedSchemes, allowedHosts, method, expectedBody - Fix LOAD_BALANCING.md threshold names and add restrict-targets best practice - Add verification-certificate.json and VERIFICATION.md from VProtocol run Verdict: HumanReviewRecommended (size cap + monoculture ρ)
The audit findings document is intentionally kept out of the mergeable tree; it can be regenerated locally and is now gitignored.
…examples/*.pem - Add node-forge dev dependency and test/fixtures/tls-certs.ts helper - Refactor tls-manager.test.ts and tls-integration.test.ts to use generated certs - Fixes CI failures where examples/cert.pem and examples/key.pem are gitignored
Remove VERIFICATION.md and verification-certificate.json from tracked files; they are now gitignored. The verification summary will be posted as a PR comment.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive security hardening pass following the red-team audit (findings document kept out of the mergeable tree per project convention).
Key fixes
server.requestIP) as the only trusted direct address and walksX-Forwarded-Forfrom right to left through validated trusted proxies.Connectionheaders, attacker-controlledX-Forwarded-*,Cookie,Authorization, andProxy-Authorization; rewritesHostand sets trusted forwarded headers.expclaim and minimum HMAC key length per algorithm.incrementConnections/decrementConnections.Bun.serve, validates redirects, removes committed TLS key material from the working tree, pins CI deps, and prevents prototype pollution in config merging.examples/*.pem.Public API changes documented
ClusterConfig.allowedEnvVarsandworkerScriptAllowlistHealthCheckConfig.allowedSchemes,allowedHosts,method,expectedBody,failureThreshold,successThreshold,minHealthyTargetsLoadBalancer.selectTarget(request, clientIP?)andincrementConnections/decrementConnectionsVerification
bun run build✅bun test— 802 pass / 0 fail ✅bun run format:check✅testsworkflow ✅VProtocol verdict
Posted as a PR comment:
HumanReviewRecommended(η = 0.804, ρ = 0.15; driven by PR size cap and monoculture correlation penalty).Remaining manual step
CRIT-1 recommends rewriting git history to fully remove the old
examples/key.pem/examples/cert.pemfrom history (e.g.git filter-repo/ BFG). They are deleted and ignored in this branch but still exist in earlier commits.