Harden API and runtime security controls #14

New Issue

Open

opened 2026-03-10 14:40:56 +03:00 by sirily · 0 comments

sirily commented 2026-03-10 14:40:56 +03:00

Owner

Copy Link

Problem
The current HTTP runtime has no request body size limits, no rate limiting/brute-force controls, and only minimal validation around generation inputs such as providerModel, resolutionPreset, batchSize, and imageStrength.

Why this matters
Even before the full frontend lands, these endpoints are exposed to abuse, denial-of-service patterns, and invalid payloads that should be rejected early.

Acceptance criteria

• Enforce request body size limits.
• Add rate limiting or equivalent abuse controls for auth and generation endpoints.
• Restrict generation inputs to supported models/presets/ranges.
• Review cookie/session settings and document the intended CSRF posture.

Problem The current HTTP runtime has no request body size limits, no rate limiting/brute-force controls, and only minimal validation around generation inputs such as `providerModel`, `resolutionPreset`, `batchSize`, and `imageStrength`. Why this matters Even before the full frontend lands, these endpoints are exposed to abuse, denial-of-service patterns, and invalid payloads that should be rejected early. Acceptance criteria - Enforce request body size limits. - Add rate limiting or equivalent abuse controls for auth and generation endpoints. - Restrict generation inputs to supported models/presets/ranges. - Review cookie/session settings and document the intended CSRF posture.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

feat/renewal-invoice-window

docs/payment-processor-selection-adr

No results found.

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

sirily

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sirily/nroxy#14