docs: add SECURITY-HARDENING.md (HTTP/2 bomb mitigation, NetworkPolicy, resource limits)#228
docs: add SECURITY-HARDENING.md (HTTP/2 bomb mitigation, NetworkPolicy, resource limits)#228motsc wants to merge 2 commits into
Conversation
Documents production hardening for ClickStack deployments: - HTTP/2 bomb mitigation (Codex disclosure, June 2026): patched ingress controller versions for nginx, Apache, Envoy/Istio - NetworkPolicy starter example for HyperDX UI/API - Recommended HyperDX deployment resource limits (cgroup OOM bounds DoS) - Caveats on exposing OTLP gRPC (port 4317, HTTP/2-only) publicly No behavior changes — pure docs addition + two cross-references.
|
Deep ReviewScope: Docs-only PR — new Most structural claims verified correct: the 🔴 P0/P1 — must fix
🟡 P2 — recommended
🔵 P3 nitpicks (4)
Reviewers (4): ce-correctness-reviewer, ce-project-standards-reviewer, ce-maintainability-reviewer, ce-learnings-researcher. Testing gaps: No assertion that |
Adds a production hardening guide. No behavior changes — pure docs addition.
What
docs/SECURITY-HARDENING.mdcovering:README.md(new "Production Hardening" section)NOTES.txtfooterWhy
Chart defaults are safe for development (Service
ClusterIP, Ingress disabled), but production operators frequently flip Ingress on without considering the HTTP/2 termination layer. The June 2026 HTTP/2 bomb disclosure makes the pinning question urgent: nginx-ingress < 4.13.0 / Apache mod_http2 < 2.0.41 are exposed.Out of scope
Customers who want stronger built-in defaults can follow the example values shown in the doc; not enforcing them here keeps the chart backward-compatible.