Skip to content

Hashavatar API 0.9.0

Choose a tag to compare

@eldryoth eldryoth released this 17 May 15:05
Immutable release. Only release title and notes can be modified.
5debceb

hashavatar-api v0.9.0

  • Updated the service to hashavatar 0.9.0.
  • Updated documentation and security support notes for the 0.9.x release line.
  • Fixed demo-page console noise by disabling signed-link polling when S3 storage is not configured.
  • Hardened CSP behavior:
    • removed deterministic nonce fallback
    • fail closed with 503 if secure OS randomness is unavailable
    • kept nonce and hash support for inline demo scripts
    • disabled HTML caching for nonce-bearing pages
  • Hardened rate limiting by scoping limiter keys to route + resolved client IP, preventing attacker-controlled tenant/kind values from flushing limiter state.
  • Made generation-time metrics conversion saturating to avoid future integer truncation.
  • Added regression coverage for CSP behavior, signed-link UI gating, route/IP rate-limit keys, and metrics saturation.
  • Verified with formatting, release metadata checks, documentation checks, security invariant checks, clippy, unit tests, cargo-deny, cargo-audit, and local runtime smoke tests.