improve baseline HTTP security for no-reverse proxy deployment scenarios#2782
Merged
wojcik91 merged 14 commits intorelease/2.0from Apr 23, 2026
Merged
improve baseline HTTP security for no-reverse proxy deployment scenarios#2782wojcik91 merged 14 commits intorelease/2.0from
wojcik91 merged 14 commits intorelease/2.0from
Conversation
There was a problem hiding this comment.
Pull request overview
This PR improves DefGuard Core’s baseline HTTP hardening for deployments where Core is exposed directly (no reverse proxy), by adding security headers, request limits, and per-IP rate limiting with sensible defaults.
Changes:
- Add a centralized security-headers middleware (incl. TLS-aware HSTS) and plumb TLS state via
AppState. - Apply global request body size limits (with a larger per-route override for network import) and a global request timeout that excludes SSE streams.
- Introduce per-IP rate limiting via
tower_governor, configurable via newDEFGUARD_RATELIMIT_*env vars.
Reviewed changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| crates/defguard_core/src/lib.rs | Adds timeout + body limits, restructures SSE routing, wires security headers middleware, and adds rate limiting in run_web_server. |
| crates/defguard_core/src/headers.rs | Implements security headers middleware and makes HSTS conditional on TLS. |
| crates/defguard_core/src/appstate.rs | Adds tls_active: Arc<AtomicBool> to app state. |
| crates/defguard_common/src/config.rs | Adds CLI/env config for rate limiting parameters. |
| crates/defguard_core/Cargo.toml | Adds tower_governor dependency. |
| Cargo.toml | Adds tower_governor to workspace deps and switches tower-http features to include timeout. |
| crates/defguard_setup/src/migration.rs | Updates AppState::new call-site with the new tls_active argument. |
| crates/defguard_core/tests/integration/api/common/mod.rs | Updates build_webapp call-site for new tls_active argument. |
| crates/defguard_core/tests/integration/api/proxy_certs.rs | Updates build_webapp call-site for new tls_active argument. |
| Cargo.lock | Locks new dependencies pulled in by tower_governor. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
j-chmielewski
approved these changes
Apr 23, 2026
This was referenced Apr 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Also forces uuid >14 frontend dependency to resolve trivy warning.
Resolves https://github.com/DefGuard/internal/issues/66