fix(安全): 关闭白名单时保留最小校验与默认白名单
实现 allow_insecure_http 并在关闭校验时执行最小格式验证 - 关闭 allowlist 时要求 URL 可解析且 scheme 合规 - 响应头过滤关闭时使用默认白名单策略 - 更新相关文档、示例与测试覆盖
This commit is contained in:
yangjianbo
@@ -273,7 +273,8 @@ Additional security-related options are available in `config.yaml`:
|
||||
- `cors.allowed_origins` for CORS allowlist
|
||||
- `security.url_allowlist` for upstream/pricing/CRS host allowlists
|
||||
- `security.url_allowlist.enabled` to disable URL validation (use with caution)
|
||||
- `security.response_headers.enabled` to disable response header filtering
|
||||
- `security.url_allowlist.allow_insecure_http` to allow http URLs when validation is disabled
|
||||
- `security.response_headers.enabled` to enable configurable response header filtering (disabled uses default allowlist)
|
||||
- `security.csp` to control Content-Security-Policy headers
|
||||
- `billing.circuit_breaker` to fail closed on billing errors
|
||||
- `server.trusted_proxies` to enable X-Forwarded-For parsing
|
||||
|
||||
Reference in New Issue
Block a user