[PR #23892] [CLOSED] implements several security enhancement #17670

Closed
opened 2026-02-05 16:25:41 +03:00 by OVERLORD · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/immich-app/immich/pull/23892
Author: @LuckyCoders
Created: 11/14/2025
Status: Closed

Base: mainHead: main


📝 Commits (9)

  • 12afea6 Checkpoint before follow-up message
  • 44cb10b Checkpoint before follow-up message
  • f05fb98 feat: Add upload limit and improve album actions
  • ab405e1 Checkpoint before follow-up message
  • c11eccd Checkpoint before follow-up message
  • de35c0d Merge pull request #2 from LuckyCoders/cursor/bc-defcafd1-530c-4a34-b7e6-e6c77251fffe-6422
  • 41d4482 Merge pull request #1 from LuckyCoders/cursor/add-album-management-and-file-upload-limits-44ec
  • cb114f0 feat: Add security enhancements and rate limiting
  • 0826b9b Merge pull request #3 from LuckyCoders/cursor/security-audit-fix-vulnerabilities-and-document-70c1

📊 Changes

93 files changed (+2084 additions, -304 deletions)

View changed files

📝 docs/docs/install/environment-variables.md (+10 -0)
📝 i18n/af.json (+11 -2)
📝 i18n/ar.json (+10 -3)
📝 i18n/az.json (+11 -2)
📝 i18n/be.json (+11 -2)
📝 i18n/bg.json (+10 -3)
📝 i18n/bi.json (+11 -2)
📝 i18n/bn.json (+10 -1)
📝 i18n/ca.json (+10 -3)
📝 i18n/cs.json (+10 -3)
📝 i18n/cv.json (+11 -2)
📝 i18n/da.json (+10 -3)
📝 i18n/de.json (+10 -3)
📝 i18n/el.json (+10 -3)
📝 i18n/en.json (+26 -3)
📝 i18n/es.json (+10 -3)
📝 i18n/et.json (+10 -3)
📝 i18n/eu.json (+11 -2)
📝 i18n/fa.json (+11 -2)
📝 i18n/fi.json (+10 -3)

...and 73 more files

📄 Description

Description

This PR implements several security enhancements based on an audit:

  • Enhanced Cookie Security: Enforces the Secure flag and proper cleanup for all authentication cookies, mitigating session fixation/leakage, especially when TLS is terminated upstream.
  • HTTP Headers & Rate Limiting: Integrates helmet for essential security headers (e.g., HSTS, referrer policy) and express-rate-limit to prevent brute-force attacks on the global API and stricter limits for login/OAuth endpoints.
  • Tunable Security Configuration: Introduces a new security section in the configuration, allowing operators to easily adjust Secure cookie enforcement and rate-limiting parameters via environment variables.

Fixes # (issue)

How Has This Been Tested?

  • pnpm lint (in the server directory)

Screenshots (if appropriate)

Checklist:

  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation if applicable
  • I have no unrelated changes in the PR.
  • I have confirmed that any new dependencies are strictly necessary.
  • I have written tests for new code (if applicable)
  • I have followed naming conventions/patterns in the surrounding code
  • All code in src/services/ uses repositories implementations for database calls, filesystem operations, etc.
  • All code in src/repositories/ is pretty basic/simple and does not have any immich specific logic (that belongs in src/services/)

Please describe to which degree, if any, an LLM was used in creating this pull request.

An LLM was used to perform a security audit, identify vulnerabilities, suggest fixes, implement the code changes, and generate this pull request description and recommendations.


Open in Cursor Open in Web


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/immich-app/immich/pull/23892 **Author:** [@LuckyCoders](https://github.com/LuckyCoders) **Created:** 11/14/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `main` --- ### 📝 Commits (9) - [`12afea6`](https://github.com/immich-app/immich/commit/12afea603c60e890b75ddc86777c44d2a9fba18e) Checkpoint before follow-up message - [`44cb10b`](https://github.com/immich-app/immich/commit/44cb10b84ea11d593d99ced188d8cf2d8bf3f3e0) Checkpoint before follow-up message - [`f05fb98`](https://github.com/immich-app/immich/commit/f05fb98731fc309c8a3e797448f7713f8d719ed9) feat: Add upload limit and improve album actions - [`ab405e1`](https://github.com/immich-app/immich/commit/ab405e107b774322095445ddb0c8b4946e64fe1d) Checkpoint before follow-up message - [`c11eccd`](https://github.com/immich-app/immich/commit/c11eccdc79854a785a11921abb15ce4371ceaeba) Checkpoint before follow-up message - [`de35c0d`](https://github.com/immich-app/immich/commit/de35c0d2fd2081ee422906b5f93e38ef617415e4) Merge pull request #2 from LuckyCoders/cursor/bc-defcafd1-530c-4a34-b7e6-e6c77251fffe-6422 - [`41d4482`](https://github.com/immich-app/immich/commit/41d4482ef498662af5397a56ece9239ed6338225) Merge pull request #1 from LuckyCoders/cursor/add-album-management-and-file-upload-limits-44ec - [`cb114f0`](https://github.com/immich-app/immich/commit/cb114f0bfe60d6d006da53d34a97d05e202c720d) feat: Add security enhancements and rate limiting - [`0826b9b`](https://github.com/immich-app/immich/commit/0826b9b8ced35de9ebb55df8a9faa6504dbe34d1) Merge pull request #3 from LuckyCoders/cursor/security-audit-fix-vulnerabilities-and-document-70c1 ### 📊 Changes **93 files changed** (+2084 additions, -304 deletions) <details> <summary>View changed files</summary> 📝 `docs/docs/install/environment-variables.md` (+10 -0) 📝 `i18n/af.json` (+11 -2) 📝 `i18n/ar.json` (+10 -3) 📝 `i18n/az.json` (+11 -2) 📝 `i18n/be.json` (+11 -2) 📝 `i18n/bg.json` (+10 -3) 📝 `i18n/bi.json` (+11 -2) 📝 `i18n/bn.json` (+10 -1) 📝 `i18n/ca.json` (+10 -3) 📝 `i18n/cs.json` (+10 -3) 📝 `i18n/cv.json` (+11 -2) 📝 `i18n/da.json` (+10 -3) 📝 `i18n/de.json` (+10 -3) 📝 `i18n/el.json` (+10 -3) 📝 `i18n/en.json` (+26 -3) 📝 `i18n/es.json` (+10 -3) 📝 `i18n/et.json` (+10 -3) 📝 `i18n/eu.json` (+11 -2) 📝 `i18n/fa.json` (+11 -2) 📝 `i18n/fi.json` (+10 -3) _...and 73 more files_ </details> ### 📄 Description ## Description This PR implements several security enhancements based on an audit: * **Enhanced Cookie Security**: Enforces the `Secure` flag and proper cleanup for all authentication cookies, mitigating session fixation/leakage, especially when TLS is terminated upstream. * **HTTP Headers & Rate Limiting**: Integrates `helmet` for essential security headers (e.g., HSTS, referrer policy) and `express-rate-limit` to prevent brute-force attacks on the global API and stricter limits for login/OAuth endpoints. * **Tunable Security Configuration**: Introduces a new `security` section in the configuration, allowing operators to easily adjust `Secure` cookie enforcement and rate-limiting parameters via environment variables. Fixes # (issue) ## How Has This Been Tested? - [x] `pnpm lint` (in the `server` directory) <details><summary><h2>Screenshots (if appropriate)</h2></summary> <!-- Images go below this line. --> </details> ## Checklist: - [x] I have performed a self-review of my own code - [x] I have made corresponding changes to the documentation if applicable - [x] I have no unrelated changes in the PR. - [x] I have confirmed that any new dependencies are strictly necessary. - [ ] I have written tests for new code (if applicable) - [x] I have followed naming conventions/patterns in the surrounding code - [x] All code in `src/services/` uses repositories implementations for database calls, filesystem operations, etc. - [x] All code in `src/repositories/` is pretty basic/simple and does not have any immich specific logic (that belongs in `src/services/`) ## Please describe to which degree, if any, an LLM was used in creating this pull request. An LLM was used to perform a security audit, identify vulnerabilities, suggest fixes, implement the code changes, and generate this pull request description and recommendations. --- <a href="https://cursor.com/background-agent?bcId=bc-5792c367-dce0-40c2-83e6-0324a6a72b95"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-cursor-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in Cursor" src="https://cursor.com/open-in-cursor.svg"></picture></a>&nbsp;<a href="https://cursor.com/agents?id=bc-5792c367-dce0-40c2-83e6-0324a6a72b95"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-web-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web" src="https://cursor.com/open-in-web.svg"></picture></a> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-05 16:25:41 +03:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: immich-app/immich#17670