abe052b538
## 주요 변경사항 ### 신규 기능 - POST /recommend: 기술 스택 기반 인스턴스 추천 API - 아시아 리전 필터링 (Seoul, Tokyo, Osaka, Singapore) - 매칭 점수 알고리즘 (메모리 40%, vCPU 30%, 가격 20%, 스토리지 10%) ### 보안 강화 (Security 9.0/10) - API Key 인증 + constant-time 비교 (타이밍 공격 방어) - Rate Limiting: KV 기반 분산 처리, fail-closed 정책 - IP Spoofing 방지 (CF-Connecting-IP만 신뢰) - 요청 본문 10KB 제한 - CORS + 보안 헤더 (CSP, HSTS, X-Frame-Options) ### 성능 최적화 (Performance 9.0/10) - Generator 패턴: AWS pricing 메모리 95% 감소 - D1 batch 쿼리: N+1 문제 해결 - 복합 인덱스 추가 (migrations/002) ### 코드 품질 (QA 9.0/10) - 127개 테스트 (vitest) - 구조화된 로깅 (민감정보 마스킹) - 상수 중앙화 (constants.ts) - 입력 검증 유틸리티 (utils/validation.ts) ### Vultr 연동 수정 - relay 서버 헤더: Authorization: Bearer → X-API-Key Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
5.6 KiB
5.6 KiB
Security Features Quick Start
This guide helps you quickly set up and test the new authentication and rate limiting features.
Prerequisites
- Node.js and npm installed
- Cloudflare Wrangler CLI installed
- Development server running
Step 1: Configure API Key
For Development
Edit wrangler.toml and add:
[vars]
API_KEY = "dev-test-key-12345"
For Production
Use Cloudflare secrets (recommended):
wrangler secret put API_KEY
# Enter your secure API key when prompted
Step 2: Start Development Server
npm run dev
The server will start at http://127.0.0.1:8787
Step 3: Test Security Features
Option A: Automated Testing (Recommended)
# Set API key to match wrangler.toml
export API_KEY="dev-test-key-12345"
# Run automated tests
./test-security.sh
Option B: Manual Testing
Test 1: Health endpoint (public)
curl http://127.0.0.1:8787/health
# Expected: 200 OK with health status
Test 2: Protected endpoint without API key
curl http://127.0.0.1:8787/instances
# Expected: 401 Unauthorized
Test 3: Protected endpoint with invalid API key
curl -H "X-API-Key: wrong-key" http://127.0.0.1:8787/instances
# Expected: 401 Unauthorized
Test 4: Protected endpoint with valid API key
curl -H "X-API-Key: dev-test-key-12345" http://127.0.0.1:8787/instances
# Expected: 200 OK with instance data
Test 5: Check security headers
curl -I http://127.0.0.1:8787/health
# Expected: X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security
Step 4: Test Rate Limiting (Optional)
Rate limits are:
/instances: 100 requests per minute/sync: 10 requests per minute
To test rate limiting, send many requests quickly:
# Send 101 requests to /instances
for i in {1..101}; do
curl -H "X-API-Key: dev-test-key-12345" \
http://127.0.0.1:8787/instances?limit=1
done
# After 100 requests, you should receive 429 Too Many Requests
Understanding Responses
Successful Request
{
"data": [...],
"pagination": {...},
"meta": {...}
}
Status: 200 OK
Missing/Invalid API Key
{
"error": "Unauthorized",
"message": "Valid API key required. Provide X-API-Key header.",
"timestamp": "2024-01-21T12:00:00.000Z"
}
Status: 401 Unauthorized
Headers: WWW-Authenticate: API-Key
Rate Limit Exceeded
{
"error": "Too Many Requests",
"message": "Rate limit exceeded. Please try again later.",
"retry_after_seconds": 45,
"timestamp": "2024-01-21T12:00:00.000Z"
}
Status: 429 Too Many Requests
Headers: Retry-After: 45
Common Issues
Issue: 401 Unauthorized with correct API key
Solution: Verify the API key in wrangler.toml matches your request:
# Check wrangler.toml
grep API_KEY wrangler.toml
# Or restart the dev server
npm run dev
Issue: Rate limit never triggers
Solution: Rate limits are per IP address. If you're behind a proxy or load balancer, all requests might appear to come from the same IP. This is expected behavior.
Issue: Missing security headers
Solution: Security headers are added by the addSecurityHeaders() function. Check that your server is running the latest code:
# Stop and restart
npm run dev
API Client Examples
JavaScript/Node.js
const API_KEY = 'dev-test-key-12345';
const API_URL = 'http://127.0.0.1:8787';
// Fetch instances
const response = await fetch(`${API_URL}/instances`, {
headers: {
'X-API-Key': API_KEY
}
});
const data = await response.json();
console.log(data);
Python
import requests
API_KEY = 'dev-test-key-12345'
API_URL = 'http://127.0.0.1:8787'
# Fetch instances
response = requests.get(
f'{API_URL}/instances',
headers={'X-API-Key': API_KEY}
)
data = response.json()
print(data)
cURL
# Basic request
curl -H "X-API-Key: dev-test-key-12345" \
http://127.0.0.1:8787/instances
# With query parameters
curl -H "X-API-Key: dev-test-key-12345" \
"http://127.0.0.1:8787/instances?provider=linode&limit=10"
# Trigger sync
curl -X POST \
-H "X-API-Key: dev-test-key-12345" \
http://127.0.0.1:8787/sync
Production Deployment
1. Set Production API Key
wrangler secret put API_KEY
# Enter a strong, random API key (e.g., from: openssl rand -base64 32)
2. Deploy
npm run deploy
3. Test Production
# Replace with your production URL and API key
curl -H "X-API-Key: your-production-key" \
https://your-worker.workers.dev/health
4. Monitor
Watch for:
- 401 responses (authentication failures)
- 429 responses (rate limit hits)
- Security header compliance
Next Steps
- Read
SECURITY.mdfor comprehensive security documentation - Read
IMPLEMENTATION_NOTES.mdfor technical implementation details - Set up monitoring for authentication failures and rate limit violations
- Consider implementing API key rotation (recommended: every 90 days)
Support
For issues or questions:
- Check
SECURITY.mdfor detailed documentation - Review
IMPLEMENTATION_NOTES.mdfor technical details - Run
./test-security.shto verify your setup - Check Cloudflare Workers logs for error messages
Security Best Practices
- Never commit API keys to version control
- Use different keys for development and production
- Rotate keys regularly (every 90 days recommended)
- Monitor authentication failures for security events
- Use HTTPS in production (enforced by Strict-Transport-Security header)
- Store production keys in Cloudflare Secrets, not environment variables