feat(安全): 添加安全开关并完善测试流程
实现安全开关默认关闭与响应头透传逻辑 - URL 校验与响应头过滤支持开关并覆盖流式路径 - 非流式 Content-Type 透传/默认值按配置生效 - 接入 go test、golangci-lint 与前端 lint/typecheck - 补充相关测试与配置/文档说明
This commit is contained in:
yangjianbo
@@ -272,11 +272,19 @@ Additional security-related options are available in `config.yaml`:
|
||||
|
||||
- `cors.allowed_origins` for CORS allowlist
|
||||
- `security.url_allowlist` for upstream/pricing/CRS host allowlists
|
||||
- `security.url_allowlist.enabled` to disable URL validation (use with caution)
|
||||
- `security.response_headers.enabled` to disable response header filtering
|
||||
- `security.csp` to control Content-Security-Policy headers
|
||||
- `billing.circuit_breaker` to fail closed on billing errors
|
||||
- `server.trusted_proxies` to enable X-Forwarded-For parsing
|
||||
- `turnstile.required` to require Turnstile in release mode
|
||||
|
||||
If you disable URL validation or response header filtering, harden your network layer:
|
||||
- Enforce an egress allowlist for upstream domains/IPs
|
||||
- Block private/loopback/link-local ranges
|
||||
- Enforce TLS-only outbound traffic
|
||||
- Strip sensitive upstream response headers at the proxy
|
||||
|
||||
```bash
|
||||
# 6. Run the application
|
||||
./sub2api
|
||||
|
||||
Reference in New Issue
Block a user