-
v0.2.0
dev released this
2026-05-23 11:18:47 +00:00 | 0 commits to main since this releaseSecurity & correctness:
- RateLimit keys on RemoteAddr by default; X-Forwarded-For honored only via
WithTrustedProxies (closes rate-limit bypass + bucket-exhaustion DoS). - WithMaxResponseBody returns ErrResponseTooLarge instead of silently
truncating. - Validate incoming X-Request-Id before propagating to logs/headers.
Fixes:
- retry no longer replays non-rewindable bodies or returns stale responses;
ExponentialBackoff jitter no longer panics on tiny base. - balancer returns an error on a malformed endpoint URL instead of panicking.
- Auth/DefaultHeaders middleware clone the request (RoundTripper contract).
New API: WithTrustedProxies, WithMaxKeys, ErrResponseTooLarge.
Internal: circuit breaker and retry now use internal/clock; HealthChecker
test coverage added (balancer ~41% -> ~87%).Downloads
- RateLimit keys on RemoteAddr by default; X-Forwarded-For honored only via