If you discover a security vulnerability in Carbon HTTP Server, please report it responsibly:

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Email your findings to the maintainers privately
3. Include detailed steps to reproduce the vulnerability
4. Allow reasonable time for a fix before public disclosure

Carbon HTTP Server implements multiple layers of security:

• Full HTTPS support with OpenSSL integration
• Modern cipher suites with TLS 1.2+ support
• ALPN (Application-Layer Protocol Negotiation) for HTTP/2
• Configurable certificate and key paths

use_https = true
ssl_cert_path = ssl/cert/cert.pem
ssl_key_path = ssl/key/key.key

All responses include security headers by default:

Dynamic rate limiting protects against abuse and DDoS attacks:

• Configurable request limits per time window
• CPU-based adaptive rate limiting
• Per-IP tracking with automatic cleanup
• Returns 429 Too Many Requests when limits exceeded

• URL sanitization to prevent path traversal attacks
• Request size limits (MAX_REQUEST_SIZE = 16384)
• Filename and path validation
• Buffer overflow protection with bounded string operations

• Stack protector enabled (-fstack-protector-strong)
• FORTIFY_SOURCE level 2
• Position Independent Executable (PIE)
• RELRO (Relocation Read-Only) linking
• No strict overflow (-fno-strict-overflow)

When running in Docker, additional security measures are applied:

security_opt:
  - no-new-privileges:true
cap_drop:
  - ALL
read_only: true

• Non-root user execution (carbon:carbon)
• Dropped capabilities
• Read-only root filesystem
• Temporary filesystem for /tmp
• No privilege escalation

1. Enable HTTPS

   use_https = true
   

2. Use valid SSL certificates

   • Obtain certificates from a trusted CA (e.g., Let's Encrypt)
   • Keep private keys secure with proper file permissions

3. Set appropriate log mode

   log_mode = classic  # Avoid debug/advanced in production
   

4. Limit connections and threads

   max_threads = 4
   max_connections = 1024
   

5. Restrict network binding

   server_name = 127.0.0.1  # Or specific interface
   

# Server binary
chmod 500 server

# Configuration files
chmod 600 server.conf

# SSL certificates
chmod 600 ssl/cert/cert.pem
chmod 600 ssl/key/key.key

# WWW directory (read-only)
chmod -R 444 www/
chmod 555 www/

# Allow HTTP (if needed)
sudo ufw allow 8080/tcp

# Allow HTTPS
sudo ufw allow 8443/tcp

# Deny all other incoming
sudo ufw default deny incoming

When enabling WebSocket support:

• WebSocket connections validate the Sec-WebSocket-Key header
• Frame masking is enforced per RFC 6455
• UTF-8 validation for text frames
• Proper close frame handling

enable_websocket = true  # Only enable if needed

HTTP/2 is only available over HTTPS (h2), not cleartext (h2c):

use_https = true
enable_http2 = true

• Sensitive data is sanitized in log output
• Log files should have restricted permissions
• Consider log rotation to prevent disk exhaustion

log_file = log/server.log
log_mode = classic

The Makefile includes security-focused compiler flags:

CFLAGS += -fstack-protector-strong
CFLAGS += -fPIE -D_FORTIFY_SOURCE=2
CFLAGS += -Wformat -Wformat-security -Werror=format-security
LDFLAGS = -Wl,-z,relro,-z,now -pie

• Monitor the repository for security updates
• Keep dependencies (OpenSSL, nghttp2, zlib) updated
• Rebuild after dependency updates

Carbon HTTP Server is provided for educational and testing purposes. While security measures are implemented, the software:

• Has not undergone formal security audit
• May contain undiscovered vulnerabilities
• Should be thoroughly tested before production use

Always perform your own security assessment before deploying in production environments.

• OWASP Secure Headers Project
• Mozilla SSL Configuration Generator
• RFC 6455 - WebSocket Protocol
• RFC 7540 - HTTP/2
• OpenSSL Security