fix(security): remediate all 16 findings from security audit

Address all findings from the 2026-04-11 security evaluation:

HIGH:
- SEC-001: Replace unbounded sync.Map PathCache with bounded LRU
  (hashicorp/golang-lru) to prevent memory exhaustion DoS

MEDIUM:
- SEC-003: Make panic stack traces configurable via STATIC_DEBUG env var
- SEC-004: Generate random multipart boundary per response (crypto/rand)
- SEC-005: Add MaxCompressSize (10MB) limit for on-the-fly gzip
- SEC-006: Apply path.Clean in CacheKeyForPath to prevent cache poisoning

LOW:
- SEC-007: Suppress server name disclosure (empty Name field)
- SEC-008: Sanitize control characters in access log URIs
- SEC-009: Remove deprecated PreferServerCipherSuites TLS option
- SEC-010: Handle template execution errors in directory listing
- SEC-011: Add MaxServeFileSize (1GB) hard limit for large file serving
- SEC-012: Add clarifying comment on CORS wildcard Vary behavior
- SEC-013: Document ETag 64-bit truncation rationale
- SEC-014: Set explicit MaxRequestBodySize (1024 bytes)
- SEC-015: Add MaxConnsPerIP config support for rate limiting
- SEC-016: Validate symlink targets during cache preload

Also updates dependencies:
- brotli v1.2.0 → v1.2.1
- klauspost/compress v1.18.4 → v1.18.5
- fasthttp v1.69.0 → v1.70.0

Author: jkyberneees

SECURITY_EVAL_2026-04-11.md

@@ -207,7 +207,7 @@ func runServe(args []string) {
 		}
 
 		// Pre-warm the path cache with every URL key the file cache knows about.
-		pathCache = security.NewPathCache()
+		pathCache = security.NewPathCache(security.DefaultPathCacheSize)
 		pathCache.PreWarm(stats.Paths, cfg.Files.Root, cfg.Security.BlockDotfiles)
 		if !effectiveQuiet {
 			log.Printf("path cache pre-warmed with %d entries", pathCache.Len())

cmd/static-web/main.go

@@ -5,11 +5,11 @@ go 1.26
 require (
 	github.com/BurntSushi/toml v1.6.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
-	github.com/klauspost/compress v1.18.4
-	github.com/valyala/fasthttp v1.69.0
+	github.com/klauspost/compress v1.18.5
+	github.com/valyala/fasthttp v1.70.0
 )
 
 require (
-	github.com/andybalholm/brotli v1.2.0 // indirect
+	github.com/andybalholm/brotli v1.2.1 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 )

go.mod

@@ -1,14 +1,14 @@
 github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
 github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
-github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
-github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
+github.com/andybalholm/brotli v1.2.1 h1:R+f5xP285VArJDRgowrfb9DqL18yVK0gKAW/F+eTWro=
+github.com/andybalholm/brotli v1.2.1/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
-github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
-github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.69.0 h1:fNLLESD2SooWeh2cidsuFtOcrEi4uB4m1mPrkJMZyVI=
-github.com/valyala/fasthttp v1.69.0/go.mod h1:4wA4PfAraPlAsJ5jMSqCE2ug5tqUPwKXxVj8oNECGcw=
+github.com/valyala/fasthttp v1.70.0 h1:LAhMGcWk13QZWm85+eg8ZBNbrq5mnkWFGbHMUJHIdXA=
+github.com/valyala/fasthttp v1.70.0/go.mod h1:oDZEHHkJ/Buyklg6uURmYs19442zFSnCIfX3j1FY3pE=
 github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=

go.sum

@@ -76,6 +76,26 @@ func (c *Cache) Preload(root string, cfg PreloadConfig) PreloadStats {
 			return nil
 		}
 
+		// SEC-016: Validate symlink targets. If the entry is a symlink,
+		// resolve it and verify the target is still inside the root directory.
+		// This prevents preloading files that symlink outside the served root.
+		if d.Type()&os.ModeSymlink != 0 {
+			target, err := filepath.EvalSymlinks(fpath)
+			if err != nil {
+				stats.Skipped++
+				return nil
+			}
+			rootWithSep := absRoot
+			if !strings.HasSuffix(rootWithSep, string(filepath.Separator)) {
+				rootWithSep += string(filepath.Separator)
+			}
+			if target != absRoot && !strings.HasPrefix(target, rootWithSep) {
+				stats.Skipped++ // symlink escapes root
+				return nil
+			}
+			fpath = target
+		}
+
 		// Skip dotfile components.
 		if cfg.BlockDotfiles {
 			rel, relErr := filepath.Rel(absRoot, fpath)

internal/cache/preload.go

@@ -172,6 +172,13 @@ func Middleware(cfg *config.CompressionConfig, next fasthttp.RequestHandler) fas
 			return
 		}
 
+		// SEC-005: Skip on-the-fly compression for bodies that exceed the
+		// configured maximum. This prevents excessive memory allocation and
+		// CPU usage from compressing very large responses in-flight.
+		if cfg.MaxCompressSize > 0 && len(body) > cfg.MaxCompressSize {
+			return
+		}
+
 		// Compress the body using pooled gzip.Writer and bytes.Buffer.
 		buf := gzipBufPool.Get().(*bytes.Buffer)
 		buf.Reset()

internal/compress/compress.go

@@ -45,6 +45,10 @@ type ServerConfig struct {
 	IdleTimeout time.Duration `toml:"idle_timeout"`
 	// ShutdownTimeout is how long to wait for in-flight requests during shutdown.
 	ShutdownTimeout time.Duration `toml:"shutdown_timeout"`
+	// MaxConnsPerIP limits the number of concurrent connections from a single IP
+	// address. 0 means unlimited. Default: 0 (disabled).
+	// SEC-015: Rate-limiting defence against connection exhaustion attacks.
+	MaxConnsPerIP int `toml:"max_conns_per_ip"`
 }
 
 // FilesConfig holds file-serving settings.
@@ -55,6 +59,12 @@ type FilesConfig struct {
 	Index string `toml:"index"`
 	// NotFound is the path (relative to Root) of the custom 404 page.
 	NotFound string `toml:"not_found"`
+	// MaxServeFileSize is the maximum file size (in bytes) that will be served.
+	// Files exceeding this limit receive a 413 Payload Too Large response.
+	// This prevents a single request from loading an arbitrarily large file
+	// into memory. Default: 1 GB. Set to 0 to disable the limit.
+	// SEC-011: Hard upper bound for large file serving.
+	MaxServeFileSize int64 `toml:"max_serve_file_size"`
 }
 
 // CacheConfig holds in-memory cache settings.
@@ -89,6 +99,12 @@ type CompressionConfig struct {
 	Level int `toml:"level"`
 	// Precompressed enables serving pre-compressed .gz/.br sidecar files. Default: true.
 	Precompressed bool `toml:"precompressed"`
+	// MaxCompressSize is the maximum response body size (in bytes) eligible for
+	// on-the-fly gzip compression. Bodies exceeding this limit are served
+	// uncompressed to avoid excessive memory allocation and CPU usage.
+	// Default: 10 MB. Set to 0 to disable the limit.
+	// SEC-005: Bounds on-the-fly compression memory usage.
+	MaxCompressSize int `toml:"max_compress_size"`
 }
 
 // HeadersConfig controls HTTP response header settings.
@@ -154,6 +170,7 @@ func applyDefaults(cfg *Config) {
 
 	cfg.Files.Root = "./public"
 	cfg.Files.Index = "index.html"
+	cfg.Files.MaxServeFileSize = 1024 * 1024 * 1024 // 1 GB
 
 	cfg.Cache.Enabled = true
 	cfg.Cache.MaxBytes = 256 * 1024 * 1024   // 256 MB
@@ -163,6 +180,7 @@ func applyDefaults(cfg *Config) {
 	cfg.Compression.MinSize = 1024
 	cfg.Compression.Level = 5
 	cfg.Compression.Precompressed = true
+	cfg.Compression.MaxCompressSize = 10 * 1024 * 1024 // 10 MB
 
 	cfg.Headers.StaticMaxAge = 3600
 	cfg.Headers.HTMLMaxAge = 0
@@ -225,6 +243,11 @@ func applyEnvOverrides(cfg *Config) {
 	if v := os.Getenv("STATIC_FILES_NOT_FOUND"); v != "" {
 		cfg.Files.NotFound = v
 	}
+	if v := os.Getenv("STATIC_FILES_MAX_SERVE_FILE_SIZE"); v != "" {
+		if n, err := strconv.ParseInt(v, 10, 64); err == nil {
+			cfg.Files.MaxServeFileSize = n
+		}
+	}
 
 	if v := os.Getenv("STATIC_CACHE_ENABLED"); v != "" {
 		cfg.Cache.Enabled = strings.EqualFold(v, "true") || v == "1"
@@ -266,6 +289,11 @@ func applyEnvOverrides(cfg *Config) {
 			cfg.Compression.Level = n
 		}
 	}
+	if v := os.Getenv("STATIC_COMPRESSION_MAX_COMPRESS_SIZE"); v != "" {
+		if n, err := strconv.Atoi(v); err == nil {
+			cfg.Compression.MaxCompressSize = n
+		}
+	}
 
 	if v := os.Getenv("STATIC_SECURITY_BLOCK_DOTFILES"); v != "" {
 		cfg.Security.BlockDotfiles = strings.EqualFold(v, "true") || v == "1"
@@ -284,4 +312,9 @@ func applyEnvOverrides(cfg *Config) {
 	if v := os.Getenv("STATIC_HEADERS_ENABLE_ETAGS"); v != "" {
 		cfg.Headers.EnableETags = strings.EqualFold(v, "true") || v == "1"
 	}
+	if v := os.Getenv("STATIC_SERVER_MAX_CONNS_PER_IP"); v != "" {
+		if n, err := strconv.Atoi(v); err == nil {
+			cfg.Server.MaxConnsPerIP = n
+		}
+	}
 }

internal/config/config.go

@@ -187,8 +187,13 @@ func (h *FileHandler) serveDirectoryListing(ctx *fasthttp.RequestCtx, absDir, ur
 		return
 	}
 	// Render template to a buffer then write to ctx.
+	// SEC-010: Handle template execution errors instead of silently discarding.
 	var buf bytes.Buffer
-	_ = dirListTemplate.Execute(&buf, data)
+	if err := dirListTemplate.Execute(&buf, data); err != nil {
+		ctx.SetStatusCode(fasthttp.StatusInternalServerError)
+		ctx.SetBodyString("Internal Server Error: failed to render directory listing")
+		return
+	}
 	ctx.SetBody(buf.Bytes())
 }
 

internal/handler/dirlist.go

@@ -4,6 +4,7 @@ package handler
 
 import (
 	"bytes"
+	"crypto/rand"
 	"crypto/sha256"
 	"encoding/hex"
 	"errors"
@@ -335,7 +336,17 @@ func (h *FileHandler) serveFromDisk(ctx *fasthttp.RequestCtx, absPath, urlPath s
 // bypassing the in-memory cache but still supporting Range requests.
 // The file is read into memory to avoid issues with fasthttp's lazy body
 // evaluation closing the file descriptor before the body is consumed.
+// SEC-011: Enforces MaxServeFileSize to prevent a single request from
+// loading an arbitrarily large file into memory.
 func (h *FileHandler) serveLargeFile(ctx *fasthttp.RequestCtx, absPath, urlPath string, info os.FileInfo) {
+	// SEC-011: Reject files that exceed the configured hard maximum.
+	if h.cfg.Files.MaxServeFileSize > 0 && info.Size() > h.cfg.Files.MaxServeFileSize {
+		log.Printf("handler: file %q (%d bytes) exceeds max serve size (%d bytes)",
+			absPath, info.Size(), h.cfg.Files.MaxServeFileSize)
+		ctx.Error("Content Too Large", fasthttp.StatusRequestEntityTooLarge)
+		return
+	}
+
 	f, err := os.Open(absPath)
 	if err != nil {
 		if os.IsPermission(err) {
@@ -474,7 +485,13 @@ func (h *FileHandler) handleSecurityError(ctx *fasthttp.RequestCtx, err error) {
 	}
 }
 
-// computeETag returns the first 16 hex characters of sha256(data).
+// computeETag returns the first 16 hex characters of sha256(data), yielding a
+// 64-bit fingerprint of the file content.
+// SEC-013: The truncation to 8 bytes (64 bits) is intentional. With the birthday
+// paradox, collision probability reaches 1% at ~190 million files — well beyond
+// practical static-server workloads. The short ETag saves bandwidth on every
+// conditional request/response. If a stronger fingerprint is ever needed, the
+// full sha256 sum can be used instead.
 // Uses hex.EncodeToString on the first 8 bytes instead of fmt.Sprintf
 // to avoid formatting the full 32-byte hash and then truncating (PERF-004).
 func computeETag(data []byte) string {
@@ -572,6 +589,16 @@ func (h *FileHandler) LoadSidecar(path string) []byte {
 	return data
 }
 
+// generateBoundary returns a random MIME multipart boundary string.
+// SEC-004: Using a unique boundary per response prevents attackers from
+// predicting boundary values and crafting payloads that exploit multipart
+// parsing in downstream proxies or clients.
+func generateBoundary() string {
+	var buf [16]byte
+	_, _ = rand.Read(buf[:])
+	return hex.EncodeToString(buf[:])
+}
+
 // ---------------------------------------------------------------------------
 // Range request handling (replacement for http.ServeContent)
 // ---------------------------------------------------------------------------
@@ -612,7 +639,7 @@ func serveRange(ctx *fasthttp.RequestCtx, data []byte, rangeHeader string) {
 
 	// Multiple ranges — use multipart/byteranges.
 	contentType := string(ctx.Response.Header.Peek("Content-Type"))
-	boundary := "static_web_range_boundary"
+	boundary := generateBoundary() // SEC-004: random boundary per response
 
 	var buf bytes.Buffer
 	for _, r := range ranges {
@@ -656,7 +683,7 @@ func serveLargeFileRange(ctx *fasthttp.RequestCtx, data []byte, size int64, rang
 
 	// Multiple ranges — use multipart/byteranges.
 	contentType := string(ctx.Response.Header.Peek("Content-Type"))
-	boundary := "static_web_range_boundary"
+	boundary := generateBoundary() // SEC-004: random boundary per response
 
 	var buf bytes.Buffer
 	for _, r := range ranges {

internal/handler/file.go

@@ -2,8 +2,10 @@ package handler
 
 import (
 	"log"
+	"os"
 	"runtime/debug"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -14,6 +16,12 @@ import (
 	"github.com/valyala/fasthttp"
 )
 
+// debugStackTraces controls whether full goroutine stack traces are logged on panic.
+// When false (default), only the panic value is logged, preventing sensitive internal
+// details from leaking. Set STATIC_DEBUG=1 to enable verbose stack traces.
+// SEC-003: Configurable panic stack trace verbosity.
+var debugStackTraces = os.Getenv("STATIC_DEBUG") == "1"
+
 // BuildHandler composes the full middleware chain and returns a ready-to-use
 // fasthttp.RequestHandler. The chain is (outer to inner):
 //
@@ -111,23 +119,62 @@ func loggingMiddlewareWithWriter(next fasthttp.RequestHandler, logger *log.Logge
 		}
 
 		method := string(ctx.Method())
-		uri := string(ctx.RequestURI())
+		// SEC-008: Sanitize the URI before logging to prevent control-character
+		// injection (e.g. \r\n) into log files which could enable log forgery.
+		uri := sanitizeForLog(string(ctx.RequestURI()))
 		logger.Print(formatAccessLogLine(method, uri, status, size, duration))
 	}
 }
 
 // recoveryMiddleware catches panics in the handler chain and returns a 500.
-// It logs the panic value and the full stack trace.
+// SEC-003: Full stack traces are only logged when STATIC_DEBUG=1 is set,
+// preventing sensitive internal details from leaking into production logs.
 func recoveryMiddleware(next fasthttp.RequestHandler) fasthttp.RequestHandler {
 	return func(ctx *fasthttp.RequestCtx) {
 		defer func() {
 			if rec := recover(); rec != nil {
-				stack := debug.Stack()
-				log.Printf("PANIC recovered: %v\n%s", rec, stack)
+				if debugStackTraces {
+					stack := debug.Stack()
+					log.Printf("PANIC recovered: %v\n%s", rec, stack)
+				} else {
+					log.Printf("PANIC recovered: %v (set STATIC_DEBUG=1 for stack trace)", rec)
+				}
 				// Only write the header if not already sent.
 				ctx.Error("Internal Server Error", fasthttp.StatusInternalServerError)
 			}
 		}()
 		next(ctx)
 	}
 }
+
+// sanitizeForLog replaces ASCII control characters (0x00–0x1F, 0x7F) with
+// their hex-escaped form (e.g. \x0a) to prevent log injection attacks where
+// crafted URIs containing \r\n could forge log entries.
+// SEC-008: Log sanitization for untrusted request data.
+func sanitizeForLog(s string) string {
+	// Fast path: no control characters → return as-is.
+	clean := true
+	for i := 0; i < len(s); i++ {
+		if s[i] < 0x20 || s[i] == 0x7f {
+			clean = false
+			break
+		}
+	}
+	if clean {
+		return s
+	}
+
+	var b strings.Builder
+	b.Grow(len(s))
+	for i := 0; i < len(s); i++ {
+		c := s[i]
+		if c < 0x20 || c == 0x7f {
+			b.WriteString(`\x`)
+			b.WriteByte("0123456789abcdef"[c>>4])
+			b.WriteByte("0123456789abcdef"[c&0x0f])
+		} else {
+			b.WriteByte(c)
+		}
+	}
+	return b.String()
+}