Security hardening (login)
Defensive hardening of the authentication path. No configuration or API changes — all existing environment variables, endpoints and the external /api/v1 programmatic API behave exactly as before.
- User enumeration removed.
validate_usernow always performs a password-hash comparison (against a constant decoy hash when the username does not exist), so response timing no longer reveals which usernames are valid. - Constant-time CSRF validation. The submitted CSRF token is compared with
hmac.compare_digestinstead of==, removing a timing side-channel. - Rate limiter can no longer be a memory-exhaustion DoS. The in-memory per-IP attempt tracker purges expired buckets and caps tracked IPs (10,000), even under a flood of spoofed/rotating source IPs (e.g. attacker-controlled
X-Forwarded-For). Retry-Afterheader on rate-limited (429) responses for both page-based and Basic Auth (popup) login.- Login page marked non-cacheable (
Cache-Control: no-store) so intermediaries don't cache the form or its CSRF token.
Verified with the full test suite (95 passed, +9 new security tests).
Docker images
drakonis96/statainer:v0.9.19/:latestdrakonis96/dockerstats:v0.9.19/:latest
Multi-arch: linux/amd64, linux/arm64.