V1.4.0 security and coverage

[jhanvi857]

significantly hardened the HTTP parser, enforced strict cryptographic standards for authentication, and introduced a massive test suite verified by JaCoCo to guarantee architectural stability.

Security Hardening

• HTTP Parser Defenses: Active blocking of CRLF injection, Null Byte (\x00) path traversals, and HTTP Request Smuggling via obfuscated Transfer-Encoding headers.
• JWT Integrity: Enforced strict nioflow Issuer Pinning, Shannon entropy validation for the JWT_SECRET on application startup, and JTI claim support to mitigate token replay attacks.
• Proxy Safety: Added explicit trusted proxy IP validation to RateLimitMiddleware to securely extract X-Forwarded-For headers without spoofing risks.
• Type-Safe Routing: Introduced ctx.pathParamAsLong() and ctx.pathParamAsInt() to safely extract database IDs and prevent SQL injection at the controller boundary.

Quality Assurance & Test Infrastructure

• 271 Total Unit and Integration Tests Executed.
• 83.44% Instruction Coverage.
• 71.69% Branch Coverage.
• Core io.github.jhanvi857.nioflow.middleware and protocol packages : ~94% coverage.

Core Framework Improvements

• Circuit Breaker Refactor: Rewrote state transitions (CLOSED, OPEN, HALF_OPEN) using AtomicReference with CAS (Compare-And-Swap) for absolute thread safety under massive concurrent load.
• Metrics API: Added app.enableMetrics(token) for secure, token-gated access to Prometheus metrics.
• Codebase Maintainability: Stripped redundant boilerplate comments across the core framework to improve readability for contributors.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
core-http	Ready	Preview, Comment	May 5, 2026 5:15am