[PR #230] [CLOSED] docs: add security-hardened proxy.ts example and README section #404

New issue

Closed

opened 2026-05-06 12:39:39 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:39 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/230
Author: @apuodesu
Created: 3/3/2026
Status: ❌ Closed

Base: main ← Head: docs/security-hardening-proxy-example

📝 Commits (1)

ec65b76 docs: add security-hardened proxy.ts example and README section

📊 Changes

2 files changed (+56 additions, -0 deletions)

View changed files

📝 README.md (+9 -0)
➕ examples/app-router-cloudflare/proxy.ts (+47 -0)

📄 Description

Summary

Add a production-ready proxy.ts example to examples/app-router-cloudflare/ and a corresponding "Security hardening" section to the README.

Motivation

vinext v0.0.18 has strong built-in protections (URL normalization, path traversal prevention, internal header stripping, image endpoint validation). However, there's no guidance for users on adding security response headers or configuring explicit proxy route matchers for production deployments.

After deploying a vinext app to production (soulo.ai), I found that users benefit from a ready-to-use proxy template that adds:

OWASP-recommended security headers — X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
Double-encoded path traversal detection — blocks %25xx and %5c patterns as defense-in-depth
Explicit route matcher — ensures the proxy covers all paths including /api/*

Changes

examples/app-router-cloudflare/proxy.ts — New file. Documented, minimal, copy-pasteable security proxy
README.md — New "Security hardening" section after "Known limitations" pointing to the example

Testing

Deployed and verified on production (soulo.ai):

All four security headers present in responses
%2e%2e path traversal returns 400
No regressions in normal page rendering or API routing

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/230 **Author:** [@apuodesu](https://github.com/apuodesu) **Created:** 3/3/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `docs/security-hardening-proxy-example` --- ### 📝 Commits (1) - [`ec65b76`](https://github.com/cloudflare/vinext/commit/ec65b767cb89af9895df25fcb073d4c507ae1229) docs: add security-hardened proxy.ts example and README section ### 📊 Changes **2 files changed** (+56 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `README.md` (+9 -0) ➕ `examples/app-router-cloudflare/proxy.ts` (+47 -0) </details> ### 📄 Description ## Summary Add a production-ready `proxy.ts` example to `examples/app-router-cloudflare/` and a corresponding "Security hardening" section to the README. ## Motivation vinext v0.0.18 has strong built-in protections (URL normalization, path traversal prevention, internal header stripping, image endpoint validation). However, there's no guidance for users on adding security response headers or configuring explicit proxy route matchers for production deployments. After deploying a vinext app to production ([soulo.ai](https://soulo.ai)), I found that users benefit from a ready-to-use proxy template that adds: 1. **OWASP-recommended security headers** — `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `Permissions-Policy` 2. **Double-encoded path traversal detection** — blocks `%25xx` and `%5c` patterns as defense-in-depth 3. **Explicit route matcher** — ensures the proxy covers all paths including `/api/*` ## Changes - **`examples/app-router-cloudflare/proxy.ts`** — New file. Documented, minimal, copy-pasteable security proxy - **`README.md`** — New "Security hardening" section after "Known limitations" pointing to the example ## Testing Deployed and verified on production (`soulo.ai`): - All four security headers present in responses - `%2e%2e` path traversal returns 400 - No regressions in normal page rendering or API routing --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>