This document tracks security features, vulnerabilities, mitigations, and ongoing security tasks for the Image Optimizer API.
Last Security Review: 2025-10-22 Overall Security Posture: A- (Strong)
- API Key Authentication - Cryptographically secure 32-byte keys
- Origin-Based Bypass - Trusted domain validation for frontend access
- Rate Limiting - Per-IP sliding window (100 req/min default)
- SSRF Protection - Private IP blocking, domain whitelist
- Input Validation - Comprehensive parameter sanitization
- File Upload Security - Size limits, type validation
- Resource Limits - Request timeouts, body limits, worker pools
- Cryptographically secure API key generation (32 bytes)
- Database-backed key storage with revocation support
- Origin-based authentication bypass for trusted domains
- Wildcard subdomain support (
*.sosquishy.io) - Configurable bypass rules for health/swagger endpoints
- Bearer token support in Authorization header
- Per-IP rate limiting with sliding window algorithm
- Configurable limits (default: 100 req/min)
- Proper HTTP 429 responses
- Environment variable configuration
- Enabled by default in production
- Private IP range blocking (RFC 1918, loopback)
- Cloud metadata endpoint blocking (169.254.169.254)
- DNS resolution validation
- Domain whitelist (cloudinary, imgur, unsplash, pexels)
- Configurable via ALLOWED_DOMAINS
- Quality: 1-100 range validation
- Dimensions: Non-negative integer checks
- Format: Whitelist validation (jpeg, png, webp, gif, avif)
- Sprite dimensions: Max 12288x12288 pixels
- Padding: 0-32 pixel range
- Interpolator: Whitelist validation
- 10MB hard limit per file
- 15MB total request body limit
- Content-Type validation
- LimitReader to prevent buffer overflow
- Proper file handle cleanup (defer Close)
- Body limit: 15MB
- Read timeout: 5 minutes
- Write timeout: 5 minutes
- Idle timeout: 10 minutes
- Batch processing: 4 worker pool limit
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- X-XSS-Protection: 1; mode=block
- Referrer-Policy: strict-origin-when-cross-origin
- Strict-Transport-Security (HTTPS only)
- Production mode hides internal errors
- Development mode shows detailed errors
- No stack trace leakage
- Graceful fallback for external tools (oxipng, cjpeg)
- All queries use parameterized statements
- No string concatenation in SQL
- Proper error handling
Status: IMPLEMENTED (2025-10-22) Location: api/routes/optimize.go
Issue: Small compressed files could expand to massive images causing memory exhaustion.
Mitigation:
- Max decoded pixels: 100 million (10,000 x 10,000)
- Validation after image decode
- Clear error message for oversized images
- Applies to both uploads and URL fetches
Test Coverage: Added in api/routes/optimize_test.go
Risk Level: Medium (mitigated by input validation) Location: api/services/image_service.go:367, 412
Issue: External commands executed for PNG/JPEG optimization:
oxipng- PNG lossless compressioncjpeg(MozJPEG) - JPEG optimization
Current Mitigations:
- β All parameters are validated integers from controlled sources
- β Quality: 1-100 range validation
- β OxiPNG level: 0-6 range validation
- β No user strings passed to commands
- β Graceful fallback if commands fail
Documentation: Inline comments added explaining safety (2025-10-22)
Recommendations:
- Consider sandboxing (seccomp, containers) for additional isolation
- Monitor and log when external tools fail
- Regular security updates for oxipng and mozjpeg binaries
Risk Level: Low (mitigated by timeouts) Location: api/services/image_service.go
Issue: Complex images could cause high CPU usage during processing.
Current Mitigations:
- β 5 minute read/write timeouts
- β Worker pool limits concurrent processing
- β Decompression bomb protection (max 100M pixels)
- β Rate limiting prevents DoS attempts
Recommendations:
- Add per-operation CPU time limits
- Monitor resource usage metrics
- Consider memory limits per request
# Authentication
API_KEY_AUTH_ENABLED=true
PUBLIC_OPTIMIZATION_ENABLED=false
TRUSTED_ORIGINS=https://sosquishy.io,https://www.sosquishy.io
# Rate Limiting
RATE_LIMIT_ENABLED=true
RATE_LIMIT_MAX=100
RATE_LIMIT_WINDOW=1m
# CORS
CORS_ORIGINS=https://sosquishy.io,https://www.sosquishy.io
# Domain Whitelist (restrict to known safe domains)
ALLOWED_DOMAINS=cloudinary.com,imgur.com,unsplash.com,pexels.com
# Environment
GO_ENV=production
PORT=8080# Disable all public access
API_KEY_AUTH_ENABLED=true
PUBLIC_OPTIMIZATION_ENABLED=false
TRUSTED_ORIGINS= # Empty - require API keys for all requests
# Aggressive rate limiting
RATE_LIMIT_MAX=50
RATE_LIMIT_WINDOW=1m
# Strict domain whitelist
ALLOWED_DOMAINS=cdn.yourdomain.com
# Environment
GO_ENV=production# Easier testing
API_KEY_AUTH_ENABLED=false
PUBLIC_OPTIMIZATION_ENABLED=true
TRUSTED_ORIGINS=http://localhost:3000,http://localhost:8080
RATE_LIMIT_ENABLED=true
RATE_LIMIT_MAX=1000
ALLOWED_DOMAINS= # Allow all domains in dev- API key authentication middleware (api/middleware/api_key_test.go)
- Origin-based bypass validation
- Domain whitelist validation
- Input validation (quality, dimensions, format)
- Decompression bomb protection (2025-10-22)
- Rate limit enforcement
- SSRF protection edge cases
- Image optimization workflows (api/routes/optimize_test.go)
- Spritesheet packing
- Batch processing under load
- Rate limit reset behavior
- Command execution failure scenarios
Run these tests before each release:
# 1. Run unit tests
cd api && go test ./... -v
# 2. Test API key authentication
curl -H "Authorization: Bearer invalid_key" https://api.sosquishy.io/optimize
# Expected: 401 Unauthorized
# 3. Test origin-based bypass
curl -H "Origin: https://sosquishy.io" https://api.sosquishy.io/optimize
# Expected: Works without API key
# 4. Test untrusted origin
curl -H "Origin: https://evil.com" https://api.sosquishy.io/optimize
# Expected: 401 Unauthorized
# 5. Test rate limiting
for i in {1..101}; do curl https://api.sosquishy.io/optimize; done
# Expected: HTTP 429 after 100 requests
# 6. Test SSRF protection
curl -F "url=http://169.254.169.254/latest/meta-data/" https://api.sosquishy.io/optimize
# Expected: 403 Forbidden
# 7. Test file size limit
curl -F "image=@large_file_11mb.jpg" https://api.sosquishy.io/optimize
# Expected: 413 Request Entity Too Large
# 8. Test decompression bomb
curl -F "image=@decompression_bomb.png" https://api.sosquishy.io/optimize
# Expected: 400 Bad Request with clear error messageMonitor logs for these patterns:
-
Authentication Failures
- Multiple invalid API key attempts from same IP
- Pattern:
"error": "Invalid or revoked API key"
-
Rate Limit Violations
- Sustained HTTP 429 responses
- Pattern:
"error": "Rate limit exceeded"
-
SSRF Attempts
- Blocked URL patterns (private IPs, metadata endpoints)
- Pattern:
"error": "URL domain not allowed"
-
Large File Attacks
- HTTP 413 responses
- Pattern:
exceeds maximum size
-
Decompression Bomb Attempts
- HTTP 400 with oversized decoded image
- Pattern:
exceeds maximum decoded size
- Check logs for IP address patterns
- Verify rate limiting is functioning
- Consider temporary IP ban if needed
- Review API key usage if authenticated
- Document the vulnerability details
- Assess impact and exploitability
- Develop fix and test thoroughly
- Deploy to production
- Update this SECURITY.md document
- Add security event logging (structured logging for auth failures, rate limits, SSRF)
- Implement API key expiration feature
- Add monitoring and alerting for suspicious patterns
- IP whitelisting for admin endpoints (/api/keys management)
- Database encryption (consider sqlcipher)
- Add per-operation memory limits
- Implement request ID tracking for audit trail
- Add Content Security Policy headers
- Implement key rotation mechanism
- Add OWASP dependency checking to CI/CD
- Consider Web Application Firewall (WAF) integration
If you discover a security vulnerability, please:
- Do NOT open a public GitHub issue
- Email security concerns to: [your security email]
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Response timeline:
- Initial response: 24 hours
- Vulnerability assessment: 72 hours
- Fix deployment: Based on severity (Critical: 24-48h, High: 1 week, Medium: 2 weeks)
| Date | Type | Findings | Actions Taken |
|---|---|---|---|
| 2025-10-22 | Comprehensive Review | 8 categories reviewed, Grade A- | Implemented decompression bomb protection, documented command execution safety |
| 2025-10-21 | Origin Auth Implementation | Origin-based bypass feature added | Full test coverage, wildcard support |
- OWASP Top 10
- OWASP API Security Top 10
- CWE - Common Weakness Enumeration
- NIST Cybersecurity Framework
This document should be reviewed and updated:
- After each security review
- When new security features are implemented
- When vulnerabilities are discovered and fixed
- At minimum, quarterly
Next Review Due: 2026-01-22