Captcha hardening: shared secret, 499 to 403, metrics polish#3
Merged
Conversation
- Add wafsrv_attack_mode_active gauge for operator queries - Rename attack_score_boost_applied_total to attack_score_boost_total - Clarify attack_only_match_total help (strict subset of traffic_filter) - Clarify attack_score_boost_total help: threshold crossings only - Use target="-" in proxy no_backends recorder so Grafana renders it
- Switch Decision.CaptchaStatusCode default from 499 to 403 - Add X-WAF-Action header (captcha|block|throttle) to disambiguate - Set rc.Decision in ip and limit middlewares for access-log - Add Decision.BlockRetryAfter and RateLimit.RetryAfter (60s default) - Emit Retry-After on block, soft block, blacklist, and 429 - Refactor isSoftBlocked and isBlacklisted to return remaining TTL - Update tests for X-WAF-Action and Retry-After semantics
- Require Captcha.Secret >= 32 bytes when Captcha.Provider is set - Fix forgeable waf_pass cookies caused by hardcoded default secret - Warn at startup when Captcha.Provider uses memory storage - Surface Secret in cfg/local.toml.dist, dashboard, builder import - Add config_test cases: missing, short, valid, disabled - Add e2e captcha tests covering the 499 to 403 migration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Captcha.Secret(>= 32 bytes) whenCaptcha.Provideris set; fixes forgeablewaf_passcookies caused by the hardcoded default. Warn at startup when memory storage is used with multiple instances.X-WAF-Action: captcha|block|throttleso clients can disambiguate. AddDecision.BlockRetryAfter/RateLimit.RetryAfter(60s default).wafsrv_attack_mode_activegauge, renameattack_score_boost_applied_total→attack_score_boost_total, sharpen Help texts; proxyno_backendsrecorder usestarget="-"so Grafana renders it.Test plan
make fmt lintis cleango test ./...passes (unit + decide + ip + limit + config)go test ./e2e -run TestCaptcha(captcha 403 +X-WAF-Action, escalation to soft block, throttle, composite-key isolation)Captcha.Providerset but no/shortCaptcha.Secretfails fastCaptcha.Secretwafsrv_attack_mode_activeandwafsrv_attack_score_boost_total