updates to api protections

This commit is contained in:
Clippii
2026-06-28 16:01:57 +01:00
parent a274313ad1
commit 109eeebfb1
4 changed files with 32 additions and 10 deletions
+6 -5
View File
@@ -117,17 +117,18 @@ PUBLIC_DATA_CACHE_STALE_MS=86400000
PUBLIC_DATA_PREWARM_INTERVAL_MS=300000
PUBLIC_DATA_COLD_TIMEOUT_MS=8000
VITE_STATIC_DATA=false
VITE_SITE_GATE=false
VITE_SITE_GATE=true
API_RATE_LIMIT_WINDOW_MS=60000
API_RATE_LIMIT_MAX=120
SITE_SESSION_SECRET=long-random-shared-secret
SITE_SESSION_TTL_SECONDS=43200
```
HTML responses set a signed, HttpOnly site-session cookie. `/api/*` and `/data/*`
requests must present that cookie and same-origin browser request metadata, so the
data is served to active site sessions instead of as an open public API. All PM2
web instances must share the same `SITE_SESSION_SECRET`.
Successful Turnstile verification sets signed, HttpOnly Turnstile and site-session
cookies. `/api/*` and `/data/*` requests must present those cookies plus
same-origin browser request metadata, so the data is served to verified active
site sessions instead of as an open public API. All PM2 web instances must share
the same `SITE_SESSION_SECRET`.
On startup, the web server preloads the critical public snapshots before
signalling PM2 `ready`: team leaderboard, player leaderboard, home teams, and