akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix security issues found during pentest

Browse Source 
- Add per-user API token limit (max 10) and name length validation (max 100 chars)
- Return 404 instead of 500 for "not found" errors in API responses
- Disable X-Powered-By header to prevent framework fingerprinting
- Enforce http/https protocol on proxy host upstream URLs
- Remove stale comment about OAuth users defaulting to admin role

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-04-06 15:09:21 +02:00
parent d9fdaba031
commit 23bc2a0476
6 changed files with 56 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/lib/api-auth.ts
View File

@@ -11,6 +11,13 @@ export class ApiAuthError extends Error {
}
}
export class NotFoundError extends Error {
constructor(message: string) {
super(message);
this.name = "NotFoundError";
}
}
export type ApiAuthResult = {
userId: number;
role: string;
@@ -91,6 +98,12 @@ export function apiErrorResponse(error: unknown): NextResponse {
if (error instanceof ApiAuthError) {
return NextResponse.json({ error: error.message }, { status: error.status });
}
if (error instanceof NotFoundError) {
return NextResponse.json({ error: error.message }, { status: 404 });
}
if (error instanceof Error && error.message.toLowerCase().includes("not found")) {
return NextResponse.json({ error: error.message }, { status: 404 });
}
return NextResponse.json(
{ error: error instanceof Error ? error.message : "Internal server error" },
{ status: 500 }