feat: add comprehensive testing infrastructure and security hardening

- Enhanced CI/CD pipeline with coverage reporting, benchmarks, and artifact uploads
- Implemented rate limiter IP validation with proxy support and spoofing protection
- Added extensive Makefile test targets for coverage, benchmarks, and continuous testing
- Expanded middleware chain with request validation, size limits, and suspicious activity logging

.env.example

@@ -29,6 +29,26 @@ WRITE_TIMEOUT=15
 # Multiple domains: ALLOWED_ORIGINS=domain1.com,domain2.com,www.domain1.com
 ALLOWED_ORIGINS=
 
+# Rate Limiter Configuration
+# CRITICAL: Prevents IP spoofing attacks that bypass rate limiting
+#
+# BEHIND_PROXY: Set to true ONLY if behind a trusted reverse proxy (nginx, caddy, cloudflare)
+# - Development (default): false - Uses RemoteAddr only, immune to header spoofing
+# - Production behind proxy: true - Trusts X-Forwarded-For from proxy
+#
+# TRUSTED_PROXY_IP: Optional - IP address of your reverse proxy
+# - If set, only X-Forwarded-For headers from this IP are trusted
+# - Example: 127.0.0.1 (for local nginx), 10.0.0.1 (for load balancer)
+# - Leave empty to trust X-Forwarded-For from any source (less secure)
+#
+# Security Impact:
+# - BEHIND_PROXY=false (dev): Ignores all X-Forwarded-For headers, uses actual connection IP
+# - BEHIND_PROXY=true (prod): Trusts proxy, extracts client IP from X-Forwarded-For
+# - Logs all suspicious spoofing attempts for security monitoring
+#
+BEHIND_PROXY=false
+TRUSTED_PROXY_IP=
+
 # Production Settings
 # Uncomment for production:
 # GO_ENV=production
@@ -36,3 +56,7 @@ ALLOWED_ORIGINS=
 # READ_TIMEOUT=30
 # WRITE_TIMEOUT=30
 # ALLOWED_ORIGINS=yourdomain.com,www.yourdomain.com
+#
+# Production behind reverse proxy:
+# BEHIND_PROXY=true
+# TRUSTED_PROXY_IP=127.0.0.1