Kharec/goyco
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: proxy HSTS trust, middleware order, and Swagger gating

Browse Source
This commit is contained in:
Sandro CURY CAZZANIGA
2026-05-06 20:13:56 +02:00
parent 537a7e3759
commit 60daeddbe4
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+10 -2
View File
@@ -171,13 +171,21 @@ server {
} }
``` ```
### Security headers and middleware ordering
When `RATE_LIMIT_TRUST_PROXY` is `true`, the application trusts `X-Forwarded-Proto` (among other forwarded headers) for HSTS and client IP derivation. Configure your reverse proxy to set trustworthy values and strip or overwrite any client-supplied forwarding headers before they reach the app.
Response caching uses `DecompressionMiddleware` before `DefaultRequestSizeLimitMiddleware`. Decompression is additionally capped internally so gzipped bodies cannot expand without limit before other limits apply.
In production (`GOYCO_ENV=production`), Swagger UI is not registered unless `SWAGGER_ENABLED=true`.
## API Documentation ## API Documentation
The API is fully documented with Swagger. The API is fully documented with Swagger (enabled for non-production environments, or when `SWAGGER_ENABLED=true`).
Once running, visit: Once running, visit:
- **Swagger UI**: `https://goyco.example.com/swagger/index.html` - **Swagger UI**: `https://goyco.example.com/swagger/index.html` (not served in production unless explicitly enabled via `SWAGGER_ENABLED`)
You can also use `curl` to get the API info, health check and even metrics: You can also use `curl` to get the API info, health check and even metrics: