quic: apply multiple security posture improvements#63483

Open

jasnell wants to merge 12 commits into

nodejs:mainfrom

jasnell:jasnell/more-quic-backend-improvements

Member

jasnell commented May 22, 2026 •

edited

Loading

Improve the security footing of the quic implementation with multiple improvements

Document that TLS certs used with QUIC connections are best when small (established practice)
Flip the default preferred address policy to 'ignore' (client's should opt in to switching paths)
Improve the rate limiting for connectionless responses (e.g. stateless resets, retry, immediately close, etc; limits potential DOS vector)
Add session creation rate limiting (limit the number of new sessions an endpoint can create per second; configurable)
Document the rate limiting mechanisms
Improve h3 header size limits
Add configurable peer cert verification
Enable net.BlockList support
Add stream idle timeout (slow loris DOS protection)

There are still a number of ergonomic issues with the API, particularly around streams, but the security details are shaping up nicely.

@nodejs/quic

Collaborator

nodejs-github-bot commented May 22, 2026

Review requested:

@nodejs/gyp
@nodejs/net
@nodejs/quic
@nodejs/security-wg

nodejs-github-bot added lib / src needs-ci labels

jasnell requested review from Ethan-Arrowood, Qard, mcollina and pimterry

May 22, 2026 04:24

jasnell changed the title ~~quic: add doc note about certificate size limitations~~ quic: apply multiple security posture improvements

Qard approved these changes

View reviewed changes

mcollina approved these changes

View reviewed changes

Member

mcollina left a comment

lgtm

codecov Bot commented May 22, 2026 •

edited

Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.34%. Comparing base (c9562dd) to head (026785c).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #63483      +/-   ##
==========================================
+ Coverage   90.30%   90.34%   +0.03%     
==========================================
  Files         730      730              
  Lines      234188   234403     +215     
  Branches    43919    43923       +4     
==========================================
+ Hits       211478   211761     +283     
+ Misses      14443    14372      -71     
- Partials     8267     8270       +3

Files with missing lines	Coverage Δ
lib/internal/blocklist.js	`91.33% <100.00%> (+0.02%)`	⬆️
lib/internal/quic/quic.js	`100.00% <100.00%> (ø)`
lib/internal/quic/stats.js	`100.00% <100.00%> (ø)`
lib/internal/quic/symbols.js	`100.00% <100.00%> (ø)`
src/node_sockaddr-inl.h	`90.09% <100.00%> (ø)`
src/node_sockaddr.cc	`70.00% <100.00%> (ø)`
src/node_sockaddr.h	`38.23% <ø> (ø)`

... and 34 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

pimterry requested changes

View reviewed changes

doc/api/quic.md

src/quic/streams.cc

doc/api/quic.md

jasnell added 11 commits

May 23, 2026 14:42


          quic: add doc note about certificate size limitations

f4dc10f

Signed-off-by: James M Snell <jasnell@gmail.com>


          quic: flip preferred address policy default to 'ignore'

824f054

Signed-off-by: James M Snell <jasnell@gmail.com>
Assisted-by: Opencode:Opus 4.6


          quic: refine rate limiting

ad1cf16

Signed-off-by: James M Snell <jasnell@gmail.com>
Assisted-by: Opencode:Opus 4.6


          quic: add session creation rate limiting

Signed-off-by: James M Snell <jasnell@gmail.com>
Assisted-by: Opencode/Opus 4.6


          quic: cache timestamp for address lru cache

82546a4

Signed-off-by: James M Snell <jasnell@gmail.com>


          quic: add rate limiting docs

d95080e

Signed-off-by: James M Snell <jasnell@gmail.com>
Assisted-by: Opencode/Opus 4.6


          quic: handle h3 max header size option

7093cdf

Signed-off-by: James M Snell <jasnell@gmail.com>


          quic: improve peer cert verification

5ce13bb

On the client, add verifyPeer: 'auto', 'strict', and
'manual' modes. The 'strict' mode will reject invalid
certs at the handshake layer, while the 'manual' mode
allows the application to inspect the peer cert and decide
whether to trust it or not. The 'auto' mode is the default
and will reject invalid certs at a middle layer after the
onhandshake event.

Signed-off-by: James M Snell <jasnell@gmail.com>
Assisted-by: Opencode/Opus 4.6


          quic: add block list support for endpoints

df20b47

Signed-off-by: James M Snell <jasnell@gmail.com>
Assisted-by: Opencode/Opus 4.6


          src: improve token return value check

21cde0f

Signed-off-by: James M Snell <jasnell@gmail.com>


          quic: add stream idle timeout

fd6831a

Signed-off-by: James M Snell <jasnell@gmail.com>
Assisted-by: Opencode:Opus 4.6

jasnell force-pushed the jasnell/more-quic-backend-improvements branch from 4e502a0 to 4e752f6 Compare

May 23, 2026 22:41

jasnell requested a review from pimterry

May 23, 2026 22:42


          quic: support hostname verification

026785c

Signed-off-by: James M Snell <jasnell@gmail.com>

jasnell force-pushed the jasnell/more-quic-backend-improvements branch from 4e752f6 to 026785c Compare

May 23, 2026 22:45

Collaborator

nodejs-github-bot commented May 23, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/73644/

jasnell added the author ready label

Qard approved these changes

View reviewed changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

author ready lib / src needs-ci