Komu Wairagu

track go/issues/63369: Support Encrypted Client Hello(ECH)

1

Support Encrypted Client Hello(ECH). - https://github.com/golang/go/issues/63369 - https://github.com/caddyserver/caddy/issues/4221

- https://github.com/golang/go/issues/60229 In https://github.com/komuw/ong/pull/375 we added a fake test `ResponseRecorder` to overcome this limitation. This issue is to track what happens with the upstream proposal

issues/235: Improve ratelimiter accuracy.

1

Why: - Updates: https://github.com/komuw/ong/issues/235 - Fixes flaky tests ```sh go test -timeout 7m -count=10 -run=XXXX -bench=BenchmarkRl github.com/komuw/ong/middleware > {old,new}.txt benchstat old.txt new.tx goos: linux goarch: amd64 pkg: github.com/komuw/ong/middleware cpu: Intel(R)...

issues/92: http.NewResponseController

2

Fixes: https://github.com/komuw/ong/issues/92

add ability to log anything the user desires in the log middleware

1

Users of `ong` may desire to log somethings always, eg `customerID`, `email`, `picassoID`(see https://github.com/komuw/ong/issues/222), etc.

picasso for blocking bots

1

``` - In this work we present Picasso: a lightweight device class fingerprinting protocol that allows a server to verify the software and hardware stack of a mobile or desktop...

do we need to do anything about headers used for caching??

3

https://simonhearne.com/2022/caching-header-best-practices/ If we do anything here, we ought to aware of interaction of caching and Authorization http headers: https://httptoolkit.com/blog/bunny-cdn-caching-vulnerability/ Look at all auth headers: https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication

ong/client: check if vulnerable to ssrf in http redirection & dns rebinding

2

- https://dropbox.tech/security/bug-bounty-program-ssrf-attack

add rate limiter/blocker for bots

6

One way to do that is to; - generate current timestamp on server - embed that in the html pages that have a form - on the server, when page...