neko/internal/safehttp, branch claude/improve-image-proxy-5iY78

fix: implement HTTP/2 fallback for SafeClient on protocol errors

2026-02-18T16:06:42+00:00

Revert "fix: disable HTTP/2 in SafeClient to avoid unhandled response frame errors"

2026-02-18T16:04:41+00:00

This reverts commit ee3f5edab92b0ca14dc0b3c98862f721bddaf7d5.

fix: disable HTTP/2 in SafeClient to avoid unhandled response frame errors

2026-02-18T16:01:45+00:00

Increase test coverage across lowest-coverage packages

2026-02-18T06:18:28+00:00

Major coverage improvements:
- safehttp: 46.7% -> 93.3% (SafeDialer, redirect checking, SSRF protection)
- api: 81.8% -> 96.4% (HandleImport 0% -> 100%, stream errors, content types)
- importer: 85.3% -> 94.7% (ImportFeeds dispatcher, OPML nesting, edge cases)
- cmd/neko: 77.1% -> 85.4% (purge, secure-cookies, minutes, allow-local flags)

New tests added:
- Security regression tests (CSRF token uniqueness, mismatch rejection,
  auth cookie HttpOnly, security headers, API auth requirements)
- Stress tests for concurrent mixed operations and rapid state toggling
- SSRF protection tests for SafeDialer hostname resolution and redirect paths

https://claude.ai/code/session_01XUBh32rHpbYue1JYXSH64Q

Fix link underlines in v3 UI and SSRF proxy bypass

2026-02-17T06:27:32+00:00

- Add text-decoration: none to .item-description a links in v3 CSS
  to match v1 style (no underlines on feed item content links)
- Fix safehttp to disable proxy on safe client; without this, HTTP
  proxy env vars bypass the DialContext SSRF check for IPs like
  10.0.0.1, causing TestSafeClient to fail

https://claude.ai/code/session_01DpWhB9uGGMBnzqS28HxnuV

security: add HTTP security headers (fixing NK-7xuajb)

2026-02-14T17:20:40+00:00

security: mitigate SSRF in image proxy and feed fetcher (fixing NK-0ca7nq)

2026-02-14T17:17:56+00:00