sirily/nroxy
1
0
Fork 0
Code Issues 5 Pull Requests 2 Actions 2 Packages Projects Releases Wiki Activity

fix: harden web API runtime controls

Browse Source
This commit is contained in:
sirily
2026-03-11 12:48:10 +03:00
parent 9641678fa3
commit 24e3aa0bc0
7 changed files with 675 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/architecture/system-overview.md
View File

@@ -32,3 +32,8 @@
- User-caused provider failures are terminal for that request.
- Balance or quota exhaustion removes a key from active rotation.
- Provider-key state transitions must be audited.
## Web session posture
- Browser sessions use `Secure`, `HttpOnly`, `SameSite=Strict` cookies.
- State-changing cookie-authenticated endpoints accept requests only from the configured app/admin origins and require browser `Origin` or `Referer` metadata.
- The current API posture assumes a same-origin browser client. If cross-site embeds or third-party POST flows are introduced later, add an explicit CSRF token mechanism instead of relaxing the cookie/origin checks.