improve baseline HTTP security for no-reverse proxy deployment scenarios (#282)

* add baseline security headers

* only set HSTS header in HTTPS mode

* set request body size limit

* add request timeout

* enable rate limiting by default

* set cookie control header for api routes

* adjust cookie security settings

* review fixes

* reorder http server layers

* simplify middleware

* mirror default rate limit in example config file

* update deps

* remove override

* install trivy in nix shell

* setup trivyignore

* fix action tag

Author: wojcik91

.github/workflows/build-docker.yml

@@ -70,6 +70,9 @@ jobs:
 
       - name: Scan image with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
           format: "table"

.github/workflows/sbom.yml

@@ -34,6 +34,9 @@ jobs:
 
       - name: Create SBOM with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           scan-type: 'fs'
           format: 'spdx-json'
@@ -44,6 +47,9 @@ jobs:
 
       - name: Create Docker image SBOM with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           image-ref: "ghcr.io/defguard/defguard-proxy:${{ steps.vars.outputs.VERSION }}"
           scan-type: 'image'
@@ -54,6 +60,9 @@ jobs:
 
       - name: Create security advisory file with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           scan-type: 'fs'
           format: 'json'
@@ -64,6 +73,9 @@ jobs:
 
       - name: Create Docker image security advisory file with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           image-ref: "ghcr.io/defguard/defguard-proxy:${{ steps.vars.outputs.VERSION }}"
           scan-type: 'image'

.trivyignore.yaml

@@ -1,4 +1,4 @@
 vulnerabilities:
   - id: GHSA-w5hq-g745-h8pq
-    expired_at: 2026-04-30
-    statement: 'Not yet fixed in dependencies'
+    expired_at: 2026-05-23
+    statement: "Waiting for upstream patch in paraglide"

Cargo.toml

@@ -25,7 +25,7 @@ axum-server = { version = "0.8", features = ["tls-rustls"] }
 time = { version = "0.3", default-features = false }
 tokio = { version = "1", features = ["macros", "rt-multi-thread", "sync", "time"] }
 tokio-stream = "0.1"
-tower-http = { version = "0.6", features = ["fs", "trace"] }
+tower-http = { version = "0.6", features = ["fs", "trace", "timeout"] }
 # logging/tracing
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }

example-config.toml

@@ -7,6 +7,6 @@ http_port = 8080
 grpc_port = 50051
 
 log_level = "info"
-rate_limit_per_second = 0
-rate_limit_burst = 0
+rate_limit_per_second = 10
+rate_limit_burst = 100
 acme_staging = false

flake.lock

@@ -40,6 +40,7 @@
           buf
           # image signarute verification
           cosign
+          trivy
         ];
 
         # Specify the rust-src path (many editors rely on this)

flake.nix

@@ -1,5 +1,5 @@
 {
 	"devDependencies": {
-		"@tanstack/devtools-vite": "^0.3.11"
+		"@tanstack/devtools-vite": "^0.3.12"
 	}
 }