Conversation
added 3 commits
April 8, 2026 10:32
…ure overhaul Security: - Slow-loris defense with per-connection byte/time budgets - HTTP request smuggling detection (reject TE + Content-Length) - Keyed SipHash via RandomState for hash-flooding resistance - Session hardening: HMAC-SHA256 signed cookies, LRU eviction, max_data_size guard, constant-time signature comparison - Rate limiter bounded to 100K entries with two-pass LRU eviction - Security headers middleware (helmet) — 11 pre-computed headers - Request ID middleware for end-to-end correlation Performance: - Zero-heap-alloc route matching with ArrayVec (stack-allocated params) - Header name interning — top 20 headers by length-first branching - Clone elimination in cache key interpolation (direct slice pass) - Dual-lane FNV-1a hash for fast static-route lookup - AST-based handler analysis (acorn) with regex fallback for zero-copy access plans — skip materializing unused request fields - Compressed static route responses (Brotli + Gzip pre-built at startup) Architecture: - Extracted parser.rs, response.rs, http_utils.rs from monolithic lib.rs - Structured log macros (hn_info!, hn_warn!, hn_error!, hn_debug!) - HTTP response builder consolidated in response.rs DX & API: - Full TypeScript declarations for all public APIs and sub-modules - app.head() method registration - app.health() convenience API (Rust static fast-path, zero JS dispatch) - res.redirect() on response prototype - Session, helmet, request-id, compress type exports in package.json - session.d.ts with SessionStore, MemoryStore, RedisStore types
…otocol improvements
Security:
- Fix session fixation (regenerate ID on privilege change) and data size bombing
- Add slow-loris protection via header-phase wall-clock deadline
- Fix body-limit bypass (enforce actual body size, not just Content-Length)
- Guard probeHandlerForFastPath against side-effect leaks during compilation
Functionality:
- Fix response status access across audit-log, logger, otel (res._state.status)
- Fix CORS Vary header append (was overwriting)
- Make OpenAPI middleware functional (was no-op) — serves spec JSON and Swagger UI
- Make otel flushSpans() functional (was no-op)
- Fix TLS config override — explicit null now properly disables TLS
- Fix error handler access plans (no longer breaks all routes to generic_fallback)
- Fix AST analyzer to detect destructuring from req (const { query } = req)
- Add H3 handler fallback for malformed static responses
- Scope keep-alive timeout variable per request cycle (eliminates dead assignment)
- Restrict h2_handler visibility to pub(crate)
New middleware:
- audit-log, body-limit, circuit-breaker, csrf, env, error, ip-filter,
logger, multipart, openapi, otel
TypeScript:
- Fix session types, route method overloads, loadEnv mapped type, otel types
- Add comprehensive type definitions for all new middleware
Build:
- 0 compiler warnings (was 4)
- Gitignore planning files (PLAN.md, boost.md, dx.md)
bridge.js imports acorn for AST-based handler analysis but it was not declared in package.json, causing CI to fail on clean install.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.