refactor: enhance security headers and comment validation

- Added configurable comment author display names via environment variable
- Implemented content sanitization with control character filtering and length validation
- Enhanced security headers (CSP, HSTS, Referrer-Policy, Permissions-Policy) across backend and nginx
- Added proxy IP header controls with TRUST_PROXY_IP_HEADERS flag to prevent spoofing

Author: zerox80

backend/src/handlers/comments.rs

@@ -5,6 +5,7 @@ use axum::{
     Json,
 };
 use serde::{Deserialize, Serialize};
+use std::{env, sync::OnceLock};
 
 #[derive(Deserialize)]
 pub struct CreateCommentRequest {
@@ -32,6 +33,63 @@ pub struct Comment {
     pub created_at: String,
 }
 
+fn comment_author_display_name(claims: &auth::Claims) -> String {
+    static DISPLAY_NAME: OnceLock<Option<String>> = OnceLock::new();
+
+    let configured = DISPLAY_NAME.get_or_init(|| {
+        env::var("COMMENT_AUTHOR_DISPLAY_NAME")
+            .ok()
+            .and_then(|value| {
+                let trimmed = value.trim();
+                if trimmed.is_empty() {
+                    None
+                } else {
+                    Some(trimmed.to_string())
+                }
+            })
+    });
+
+    configured
+        .as_ref()
+        .cloned()
+        .unwrap_or_else(|| claims.sub.clone())
+}
+
+fn sanitize_comment_content(
+    raw: &str,
+) -> Result<String, (StatusCode, Json<ErrorResponse>)> {
+    let trimmed = raw.trim();
+
+    if trimmed.is_empty() {
+        return Err((
+            StatusCode::BAD_REQUEST,
+            Json(ErrorResponse {
+                error: "Comment content cannot be empty".to_string(),
+            }),
+        ));
+    }
+
+    if trimmed.len() > 1_000 {
+        return Err((
+            StatusCode::BAD_REQUEST,
+            Json(ErrorResponse {
+                error: "Comment too long (max 1000 characters)".to_string(),
+            }),
+        ));
+    }
+
+    let sanitized: String = trimmed
+        .chars()
+        .filter(|c| match c {
+            '\n' | '\r' | '\t' => true,
+            c if c.is_control() => false,
+            _ => true,
+        })
+        .collect();
+
+    Ok(sanitized)
+}
+
 pub async fn list_comments(
     State(pool): State<DbPool>,
     Path(tutorial_id): Path<String>,
@@ -141,24 +199,8 @@ pub async fn create_comment(
         ));
     }
 
-    // Validate content
-    if payload.content.trim().is_empty() {
-        return Err((
-            StatusCode::BAD_REQUEST,
-            Json(ErrorResponse {
-                error: "Comment content cannot be empty".to_string(),
-            }),
-        ));
-    }
-
-    if payload.content.len() > 1000 {
-        return Err((
-            StatusCode::BAD_REQUEST,
-            Json(ErrorResponse {
-                error: "Comment too long (max 1000 characters)".to_string(),
-            }),
-        ));
-    }
+    let comment_content = sanitize_comment_content(&payload.content)?;
+    let author = comment_author_display_name(&claims);
 
     let id = uuid::Uuid::new_v4().to_string();
     let now = chrono::Utc::now().to_rfc3339();
@@ -168,8 +210,8 @@ pub async fn create_comment(
     )
     .bind(&id)
     .bind(&tutorial_id)
-    .bind(&claims.sub)
-    .bind(&payload.content)
+    .bind(&author)
+    .bind(&comment_content)
     .bind(&now)
     .execute(&pool)
     .await
@@ -186,8 +228,8 @@ pub async fn create_comment(
     Ok(Json(Comment {
         id,
         tutorial_id,
-        author: claims.sub,
-        content: payload.content,
+        author,
+        content: comment_content,
         created_at: now,
     }))
 }

backend/src/main.rs

@@ -17,7 +17,7 @@ use axum::http::{
         AUTHORIZATION, CACHE_CONTROL, CONTENT_SECURITY_POLICY, CONTENT_TYPE, EXPIRES,
         PRAGMA, STRICT_TRANSPORT_SECURITY, X_CONTENT_TYPE_OPTIONS, X_FRAME_OPTIONS,
     },
-    HeaderValue, Method,
+    HeaderName, HeaderValue, Method,
 };
 use tower_http::cors::{AllowHeaders, AllowMethods, AllowOrigin, CorsLayer};
 use tower_http::limit::RequestBodyLimitLayer;
@@ -29,7 +29,45 @@ use tracing_subscriber;
 use tokio::signal;
 use std::net::SocketAddr;
 use std::io::ErrorKind;
-use tower_governor::key_extractor::SmartIpKeyExtractor;
+use tower_governor::key_extractor::{PeerIpKeyExtractor, SmartIpKeyExtractor};
+
+const PERMISSIONS_POLICY: HeaderName = HeaderName::from_static("permissions-policy");
+const REFERRER_POLICY: HeaderName = HeaderName::from_static("referrer-policy");
+const X_XSS_PROTECTION: HeaderName = HeaderName::from_static("x-xss-protection");
+const FORWARDED_HEADER: HeaderName = HeaderName::from_static("forwarded");
+const X_FORWARDED_FOR_HEADER: HeaderName = HeaderName::from_static("x-forwarded-for");
+const X_FORWARDED_PROTO_HEADER: HeaderName = HeaderName::from_static("x-forwarded-proto");
+const X_FORWARDED_HOST_HEADER: HeaderName = HeaderName::from_static("x-forwarded-host");
+const X_REAL_IP_HEADER: HeaderName = HeaderName::from_static("x-real-ip");
+
+fn parse_env_bool(key: &str, default: bool) -> bool {
+    env::var(key)
+        .ok()
+        .and_then(|value| {
+            match value.trim().to_ascii_lowercase().as_str() {
+                "1" | "true" | "yes" | "on" => Some(true),
+                "0" | "false" | "no" | "off" => Some(false),
+                _ => {
+                    tracing::warn!(key = %key, value = %value, "Invalid boolean env value; using default");
+                    None
+                }
+            }
+        })
+        .unwrap_or(default)
+}
+
+async fn strip_untrusted_forwarded_headers(mut request: Request, next: Next) -> Response {
+    {
+        let headers = request.headers_mut();
+        headers.remove(FORWARDED_HEADER);
+        headers.remove(X_FORWARDED_FOR_HEADER);
+        headers.remove(X_FORWARDED_PROTO_HEADER);
+        headers.remove(X_FORWARDED_HOST_HEADER);
+        headers.remove(X_REAL_IP_HEADER);
+    }
+
+    next.run(request).await
+}
 
 // Security headers middleware
 async fn security_headers(
@@ -75,10 +113,10 @@ async fn security_headers(
     // Content Security Policy - Environment-dependent for dev mode support
     let csp = if cfg!(debug_assertions) {
         // Development mode: Allow WebSocket for Vite HMR
-        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self'; form-action 'self';"
+        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';"
     } else {
         // Production mode: Strict CSP (no inline styles)
-        "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self';"
+        "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests;"
     };
 
     headers.insert(
@@ -105,6 +143,21 @@ async fn security_headers(
         X_FRAME_OPTIONS,
         HeaderValue::from_static("DENY"),
     );
+
+    headers.insert(
+        REFERRER_POLICY,
+        HeaderValue::from_static("no-referrer"),
+    );
+
+    headers.insert(
+        PERMISSIONS_POLICY,
+        HeaderValue::from_static("geolocation=(), microphone=(), camera=()"),
+    );
+
+    headers.insert(
+        X_XSS_PROTECTION,
+        HeaderValue::from_static("0"),
+    );
 
     response
 }
@@ -199,12 +252,25 @@ async fn main() {
 
     tracing::info!(origins = ?allowed_origins, "Configured CORS origins");
 
+    let trust_proxy_ip_headers = parse_env_bool("TRUST_PROXY_IP_HEADERS", false);
+    if trust_proxy_ip_headers {
+        tracing::info!("Trusting X-Forwarded-* headers for client IP extraction");
+    } else {
+        tracing::info!("Proxy headers will be stripped before rate limiting to prevent spoofing");
+    }
+
+    let login_key_extractor = if trust_proxy_ip_headers {
+        SmartIpKeyExtractor
+    } else {
+        PeerIpKeyExtractor
+    };
+
     // Configure rate limiting (average 1 request/sec for login, burst up to 5)
     let rate_limit_config = std::sync::Arc::new(
         GovernorConfigBuilder::default()
             .per_second(1)
             .burst_size(5)
-            .key_extractor(SmartIpKeyExtractor)
+            .key_extractor(login_key_extractor)
             .finish()
             .expect("Failed to build governor config"),
     );
@@ -217,11 +283,17 @@ async fn main() {
         .layer(RequestBodyLimitLayer::new(LOGIN_BODY_LIMIT))
         .layer(GovernorLayer::new(rate_limit_config));
 
+    let admin_key_extractor = if trust_proxy_ip_headers {
+        SmartIpKeyExtractor
+    } else {
+        PeerIpKeyExtractor
+    };
+
     let admin_rate_limit_config = std::sync::Arc::new(
         GovernorConfigBuilder::default()
             .per_second(1)
             .burst_size(3)
-            .key_extractor(SmartIpKeyExtractor)
+            .key_extractor(admin_key_extractor)
             .finish()
             .expect("Failed to build governor config for write routes"),
     );
@@ -276,7 +348,7 @@ async fn main() {
         .layer(RequestBodyLimitLayer::new(ADMIN_BODY_LIMIT))
         .layer(GovernorLayer::new(admin_rate_limit_config.clone()));
 
-    let app = Router::new()
+    let mut app = Router::new()
         .merge(login_router)
         // Auth routes
         .route("/api/auth/me", get(handlers::auth::me))
@@ -321,6 +393,10 @@ async fn main() {
         .layer(middleware::from_fn(security_headers))
         .with_state(pool);
 
+    if !trust_proxy_ip_headers {
+        app = app.layer(middleware::from_fn(strip_untrusted_forwarded_headers));
+    }
+
     // Get port from environment or use default
     let port_str = env::var("PORT").unwrap_or_else(|_| "8489".to_string());
     let port: u16 = match port_str.parse() {

nginx/frontend.conf

@@ -11,9 +11,13 @@ server {
     gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json;
 
     # Security Headers
-    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests;" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "DENY" always;
     add_header X-Content-Type-Options "nosniff" always;
-    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+    add_header X-XSS-Protection "0" always;
 
     # Cache static assets
     location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {