Deployment-Härtung + Podman-Container

- http.Server mit Timeouts (Slowloris) und Graceful Shutdown (SIGTERM)
- Adresse und DB-Pfad per Env (KVER_ADDR, KVER_DB)
- Security-Header global: nosniff, X-Frame-Options, Referrer-Policy, CSP
- Upload-Requests hart auf 17 MB gedeckelt (MaxBytesReader statt nur
  Multipart-Speichergrenze)
- Indizes für Feed-, Thread- und Vote-Queries
- middleware.RealIP für Logging/Rate-Limit hinter dem Reverse-Proxy
- Containerfile (Multi-Stage, Alpine, non-root) + Deploy-Doku in notes/

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-11 07:00:09 +02:00
parent 925b00edf5
commit 50be342899
7 changed files with 248 additions and 18 deletions
+3
View File
@@ -128,6 +128,9 @@ func handleUserRename(w http.ResponseWriter, r *http.Request) {
func handleSetAvatar(w http.ResponseWriter, r *http.Request) {
uid := uidFromContext(r.Context())
// Wie bei handleCreateEntry: Request-Größe hart deckeln, bevor Multipart
// in Temp-Dateien streamen darf.
r.Body = http.MaxBytesReader(w, r.Body, maxUploadBytes)
if err := r.ParseMultipartForm(16 << 20); err != nil {
writeError(w, http.StatusBadRequest, "Ungültige Anfrage")
return