v1.0.0

v1.0.0

Breaking: security.trustXForwardedFor now defaults to false

Previously true, which allowed IP spoofing on directly internet-facing apps. If behind a trusted proxy, explicitly set security: { trustXForwardedFor: true }.

🚀 Features

• delayOnBan — 1-second delay before 429 when user is banned (was documented but not implemented)
• Standard rate-limit headers — X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset on all responses
• JSON 429 response body — Returns { error, retryAfter } instead of plain text for easier client handling
• skipRoutes option — exempt paths from rate limiting without listing every protected route
• Fail2ban export format — log.fail2ban writes ban events in fail2ban-compatible format for firewall-level blocking
• Cache route match result to avoid duplicate findBestMatchingRoute() calls

🩹 Fixes

• Default trustXForwardedFor to false (security hardening)
• Prefix matching respects path segment boundaries (/api/v3 no longer matches /api/v3-secret)
• IPv6 compatibility — sanitize colons in storage keys (2001:db8::1 → 2001_db8__1) for fs driver
• Warn at build time if nitro.storage.shield is missing
• Remove stray debug console.log from shield middleware
• Playground scheduled tasks use correct names (shield:cleanBans, shield:cleanIpData)
• Empty client plugin removed (no-op registration)

⚡ Performance

• Log buffering — batch shield log writes in memory, flush every 5s; fire-and-forget (no await on hot path)
• Reduce test ban duration 10s→4s, cutting CI time by ~13s

📖 Documentation

• Production Deployment section — Redis vs memory/fs tradeoffs
• Fail2ban Integration section — full setup guide with filter and jail config
• README defaults aligned with module defaults
• Per-route ban override documented (was misleadingly marked as global-only)