harden released pages and archive openspec change

2026-02-23 17:48:32 +08:00
parent 6e2ff9813e
commit e5d7700b36
47 changed files with 2126 additions and 141 deletions
--- a/.env.example
+++ b/.env.example
@@ -31,6 +31,7 @@ DB_CALL_TIMEOUT_MS=55000  # Must stay below worker timeout
 # Flask Configuration
 # ============================================================
 # Environment mode: development | production | testing
+# If omitted, runtime defaults to production (fail-safe)
 FLASK_ENV=development

 # Debug mode: 0 for production, 1 for development
@@ -43,6 +44,24 @@ SECRET_KEY=your-secret-key-change-in-production
 # Session timeout in seconds (default: 28800 = 8 hours)
 SESSION_LIFETIME=28800

+# JSON request payload upper bound in bytes (default: 262144 = 256KB)
+MAX_JSON_BODY_BYTES=262144
+
+# Route input-budget guardrails
+QUERY_TOOL_MAX_CONTAINER_IDS=200
+RESOURCE_DETAIL_DEFAULT_LIMIT=500
+RESOURCE_DETAIL_MAX_LIMIT=500
+
+# Trust boundary for forwarded headers (safe default: false)
+# Direct-exposure deployment (no reverse proxy): keep this false
+TRUST_PROXY_HEADERS=false
+# Required when TRUST_PROXY_HEADERS=true. Supports comma-separated IP/CIDR entries.
+# Example: TRUSTED_PROXY_IPS=127.0.0.1,10.0.0.0/24
+TRUSTED_PROXY_IPS=
+
+# CSP opt-in compatibility flag (default false = safer)
+CSP_ALLOW_UNSAFE_EVAL=false
+
 # ============================================================
 # Authentication Configuration
 # ============================================================