v1.7.12: security hardening — CORS fix, security headers, fail-closed rate limiter, OpenAPI docs disabled by default, config auth privacy, webhook validation

2026-04-27 13:59:05 +02:00
parent c086fa4260
commit 3f983f8ca9
10 changed files with 312 additions and 13 deletions
--- a/backend/rate_limiter.py
+++ b/backend/rate_limiter.py
@@ -79,4 +79,5 @@ async def check_rate_limit(request: Request):
    except RateLimitExceeded:
        raise
    except Exception as exc:
-        logger.warning("Rate limiter Redis error; allowing request", error=str(exc))
+        logger.warning("Rate limiter Redis error; failing closed", error=str(exc))
+        raise RateLimitExceeded(retry_after=60) from None