feat: add origin validation and rate limiting for PDF endpoint
- Implemented origin checker middleware to prevent external sites from hotlinking the PDF generation endpoint - Added rate limiter (3 requests per minute per IP) to protect resource-intensive PDF operations - Configured allowed origins via ALLOWED_ORIGINS environment variable with localhost defaults for development
This commit is contained in:
juanatsap
@@ -18,9 +18,17 @@ DATA_DIR=data
|
||||
READ_TIMEOUT=15
|
||||
WRITE_TIMEOUT=15
|
||||
|
||||
# Security Configuration
|
||||
# Allowed origins for API access (comma-separated domains)
|
||||
# Prevents external sites from accessing your API/PDF endpoint
|
||||
# Leave empty for development (allows localhost)
|
||||
# Example for production: ALLOWED_ORIGINS=yourdomain.com,www.yourdomain.com
|
||||
ALLOWED_ORIGINS=
|
||||
|
||||
# Production Settings
|
||||
# Uncomment for production:
|
||||
# GO_ENV=production
|
||||
# TEMPLATE_HOT_RELOAD=false
|
||||
# READ_TIMEOUT=30
|
||||
# WRITE_TIMEOUT=30
|
||||
# ALLOWED_ORIGINS=yourdomain.com,www.yourdomain.com
|
||||
|
||||
Reference in New Issue
Block a user