tlsd 2.16.1 → 2.18.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tlsd",
-  "version": "2.16.1",
+  "version": "2.18.0",
   "description": "A server for web app prototyping with HTTPS and Websockets",
   "main": "tlsd.js",
   "bin": {

package/rpc_static/rpc/index.html

@@ -36,11 +36,16 @@
             .textarea-group:first-child {
                 position: relative;
             }
+
+            .textarea-group-head {
+                display: flex;
+                justify-content: space-between;
+            }
             
             .send-button {
-                position: absolute;
-                top: 0;
-                right: 0;
+                zposition: absolute;
+                ztop: 0;
+                zright: 0;
                 background-color: #007bff;
                 color: white;
                 border: none;
@@ -94,8 +99,13 @@
     <body>
         <div class="grid-container">
             <div class="textarea-group">
-                <label class="textarea-label">Message Data</label>
-                <button class="send-button">Send</button>
+                <div class="textarea-group-head">
+                    <label class="textarea-label">Message Data</label>
+                    <div>
+                        <button class="send-button" id="send_auto">Send</button>
+                        <button class="send-button" id="send_post">POST</button>
+                    </div>
+                </div>
                 <textarea class="textarea-input" id="e_input" ></textarea>
             </div>
             <div class="textarea-group">
@@ -115,14 +125,15 @@
         <script>
 
             // Get the send button and first textarea
+            const sendButtonAuto = document.querySelector('#send_auto');
+            const sendButtonPOST = document.querySelector('#send_post');
             const sendButton = document.querySelector('.send-button');
             const e_input = document.querySelector('#e_input');
             const e_preview = document.querySelector('#e_preview');
             const e_sent = document.querySelector('#e_sent');
             const e_received = document.querySelector('#e_received');
-            
-            // Add click event listener to the send button
-            sendButton.addEventListener('click', function() {
+
+            function send( post = false ) {
                 // Get the content from the first textarea
                 const textareaContent = e_input.value;
                 
@@ -139,13 +150,22 @@
 
                 e_received.value = "...";
 
-                RPC( data, function( rsp ) {
+                let fn = post ? RPC.POST : RPC;
+
+                fn( data, function( rsp ) {
                     e_received.value = o2j( rsp, null, 2 );
                 }, function( err ) {
                     e_received.value = "ERROR:\n" + o2j( err, null, 2 );
                 });
-
+            }
+            
+            sendButtonAuto.addEventListener('click', function() {
+                send( false );
             });
+            sendButtonPOST.addEventListener('click', function() {
+                send( true );
+            });
+            
             
             // Load content from local storage when page loads
             window.addEventListener('pageshow', function() {

package/rpc_static/rpc/rpc.js

@@ -23,6 +23,11 @@
 	const o2j = function( v ) { try { return JSON.stringify( v, null, 2 ) } catch( e ) { return null } }
 	const time = function( dt ) { return Math.round( ( new Date() ).getTime() / 1000 ); }
 
+	const getCookie = function( name ) {
+		const match = document.cookie.match( new RegExp( "(^| )" + name + "=([^;]+)" ) );
+		return match ? match[ 2 ] : null;
+	};
+
 
 	let DBG = function( ...args ) {
 		if( RPC.debug ) {
@@ -95,7 +100,7 @@
 
 		const waiting = new WaitList()
 
-		const send = function(m, cb, fail) {
+		const send = async function(m, cb, fail) {
 			if(m.msg_id === undefined) {
 				m.msg_id = "CMID-" + next_seq(); // every message must have an id
 			}
@@ -105,8 +110,24 @@
 				waiting.ins( { msg: m, cb, fail }, m.msg_id );
 			}
 
-			DBG(">>--->", m );
-			socket.send( o2j( m ) );
+			const MAX_WAIT_TIME = 10000; // 10 seconds
+			const startTime = Date.now();
+			while(socket.readyState !== WebSocket.OPEN) {
+				if(Date.now() - startTime >= MAX_WAIT_TIME) {
+					if(fail) fail("WebSocket connection timeout after " + MAX_WAIT_TIME + "ms");
+					return;
+				}
+				DBG("Waiting for socket to be open", socket.readyState, MAX_WAIT_TIME - (Date.now() - startTime));
+				await new Promise(resolve => setTimeout(resolve, 200));
+			}
+
+			try {
+				DBG(">>--->", m, socket.readyState );
+				socket.send( o2j( m ) );
+			} catch(error) {
+				DBG("Send error:", error);
+				if(fail) fail(error);
+			}
 		}
 
 		var loc = document.location
@@ -222,6 +243,10 @@
 		xhr.open( "POST", RPC_URL );
 		xhr.setRequestHeader( "Content-Type", "application/json" );
 		xhr.setRequestHeader( "Accept", "application/json" );
+		const csrfToken = getCookie( "csrf_token" );
+		if( csrfToken ) {
+			xhr.setRequestHeader( "X-CSRF-Token", csrfToken );
+		}
 		xhr.send( o2j( msg ) );
 	};
 

package/tlsd.js

@@ -10,7 +10,6 @@ const serveStatic = require( "serve-static" );
 
 const body_parser = require( "body-parser" ).json( { limit: "10mb" } );
 const compression = require( "compression" )();
-const cors = require( "cors" )();
 const queryString = require( "querystring" );
 
 const { log5, o2j, j2o, toInt, is_dir, sha1 } = require( "sleepless" );
@@ -21,8 +20,40 @@ const { D, V, I, W, E } = L;
 const UPLOAD_DIR = process.env.UPLOAD_DIR || "/tmp/tlsd-put-files/";
 const UPLOAD_MAX_BYTES = toInt( process.env.UPLOAD_MAX_BYTES ) || ( 200 * 1024 * 1024 );
 
+// DOS protection configuration
+const MAX_RPC_MESSAGE_SIZE = toInt( process.env.MAX_RPC_MESSAGE_SIZE ) || ( 1024 * 1024 ); // 1MB default
+const MAX_WS_CONNECTIONS = toInt( process.env.MAX_WS_CONNECTIONS ) || 1000;
+const MAX_CONNECTIONS_PER_IP = toInt( process.env.MAX_CONNECTIONS_PER_IP ) || 50;
+const MAX_CONNECTIONS_TOTAL = toInt( process.env.MAX_CONNECTIONS_TOTAL ) || 1000;
+const REQUEST_TIMEOUT_MS = toInt( process.env.REQUEST_TIMEOUT_MS ) || 30000; // 30 seconds
+const SERVER_TIMEOUT_MS = toInt( process.env.SERVER_TIMEOUT_MS ) || 30000; // 30 seconds
+const KEEP_ALIVE_TIMEOUT_MS = toInt( process.env.KEEP_ALIVE_TIMEOUT_MS ) || 65000; // 65 seconds
+const HEADERS_TIMEOUT_MS = toInt( process.env.HEADERS_TIMEOUT_MS ) || 66000; // 66 seconds
+const RATE_LIMIT_WINDOW_MS = toInt( process.env.RATE_LIMIT_WINDOW_MS ) || ( 15 * 60 * 1000 ); // 15 minutes
+const RATE_LIMIT_MAX_REQUESTS = toInt( process.env.RATE_LIMIT_MAX_REQUESTS ) || 1000; // per window
+
 let dev_mode = false;
 
+// Connection tracking for DOS protection
+const ipConnections = new Map();
+let totalConnections = 0;
+let activeWSConnections = 0;
+
+// Rate limiting storage: Map<ip, {count: number, resetTime: number}>
+const rateLimitStore = new Map();
+
+function cleanupRateLimitStore() {
+	const now = Date.now();
+	for( const [ ip, data ] of rateLimitStore.entries() ) {
+		if( now > data.resetTime ) {
+			rateLimitStore.delete( ip );
+		}
+	}
+}
+
+// Clean up rate limit store every minute
+setInterval( cleanupRateLimitStore, 60 * 1000 );
+
 
 function usage() {
 	const base = path.basename( module.filename );
@@ -45,10 +76,112 @@ function next_seq() {
 }
 
 
+function generate_csrf_token() {
+	return sha1( "" + ( Date.now() + Math.random() ) );
+}
+
+
+function parse_cookies( cookie_header ) {
+	const cookies = {};
+	if( ! cookie_header ) {
+		return cookies;
+	}
+	cookie_header.split( ";" ).forEach( part => {
+		const pieces = part.split( "=" );
+		const name = pieces.shift().trim();
+		if( ! name ) {
+			return;
+		}
+		const value = pieces.join( "=" ).trim();
+		const unquoted = value && value[ 0 ] == "\"" && value[ value.length - 1 ] == "\""
+			? value.slice( 1, -1 )
+			: value;
+		cookies[ name ] = decodeURIComponent( unquoted || "" );
+	} );
+	return cookies;
+}
+
+
+function add_set_cookie_header( res, cookie_str ) {
+	const existing = res.getHeader( "Set-Cookie" );
+	if( ! existing ) {
+		res.setHeader( "Set-Cookie", [ cookie_str ] );
+		return;
+	}
+	if( Array.isArray( existing ) ) {
+		res.setHeader( "Set-Cookie", existing.concat( cookie_str ) );
+		return;
+	}
+	res.setHeader( "Set-Cookie", [ existing, cookie_str ] );
+}
+
+
+function build_cookie_string( name, value, options ) {
+	const opts = options || {};
+	const bits = [];
+	bits.push( name + "=" + encodeURIComponent( value || "" ) );
+	if( opts.domain ) {
+		bits.push( "Domain=" + opts.domain );
+	}
+	if( opts.path || opts.path === "" ) {
+		bits.push( "Path=" + opts.path );
+	}
+	if( opts.maxAge !== undefined && opts.maxAge !== null ) {
+		bits.push( "Max-Age=" + toInt( opts.maxAge ) );
+	}
+	if( opts.sameSite ) {
+		bits.push( "SameSite=" + opts.sameSite );
+	}
+	if( opts.expires ) {
+		bits.push( "Expires=" + opts.expires );
+	}
+	if( opts.httpOnly ) {
+		bits.push( "HttpOnly" );
+	}
+	if( opts.secure ) {
+		bits.push( "Secure" );
+	}
+	return bits.join( "; " );
+}
+
+
+function make_cookie_setters( res ) {
+	if( ! res ) {
+		return {
+			setCookie: function( ) {
+				W( "setCookie ignored: no response available" );
+			},
+			clearCookie: function( ) {
+				W( "clearCookie ignored: no response available" );
+			},
+		};
+	}
+
+	const setCookie = function( name, value, options ) {
+		const cookie_str = build_cookie_string( name, value, options );
+		add_set_cookie_header( res, cookie_str );
+	};
+
+	const clearCookie = function( name, options ) {
+		const opts = options ? Object.assign( {}, options ) : {};
+		if( ! opts.expires ) {
+			opts.expires = "Thu, 01 Jan 1970 00:00:00 GMT";
+		}
+		opts.maxAge = 0;
+		const cookie_str = build_cookie_string( name, "", opts );
+		add_set_cookie_header( res, cookie_str );
+	};
+
+	return { setCookie, clearCookie };
+}
+
+
 // Handles incoming RPC messages.
 // Load order for RPC handlers under the provided root:
-//  1) Tries explicit CommonJS module at "root/rpc/index.cjs"
-//  2) Falls back to legacy directory loader at "root/rpc"
+//  1) Tries explicit CommonJS module at "root/server/index.cjs"
+//  2) Falls back to legacy directory loader at "root/server"
+//  3) Falls back to explicit CommonJS module at "root/rpc/index.cjs"
+//  4) Falls back to legacy directory loader at "root/rpc"
 // If loading succeeds, passes the message to the handler.
 // context may be one of:
 //      { transport_type: "WS", connection: { ... } }
@@ -68,14 +201,22 @@ function rpc_handler( root, msg, context, _okay, _fail ) {
             why = new Error( why );
         }
 		E( root + ": " + why.stack );
-		_fail();
+		_fail( why );
 	};
 
+	// Check RPC message size
+	const msgSize = JSON.stringify( msg ).length;
+	if( msgSize > MAX_RPC_MESSAGE_SIZE ) {
+		W( "RPC message too large: " + msgSize + " bytes (max: " + MAX_RPC_MESSAGE_SIZE + ")" );
+		fail( new Error( "RPC message too large" ) );
+		return;
+	}
+
 	context.upload_dir = UPLOAD_DIR;
 
 	try {
-        // try loading explicit common js module 
-		const mod_path = root + "/rpc/index.cjs";
+        // try loading explicit common js module from server folder
+		const mod_path = root + "/server/index.cjs";
 		const mod = require( mod_path );
 		try {
             mod( msg, okay, fail, context );
@@ -85,9 +226,9 @@ function rpc_handler( root, msg, context, _okay, _fail ) {
 
 	} catch( err ) {
 
-        // try loading it the old way using the dir
+        // try loading it the old way using the server dir
         try {
-			const mod_path = root + "/rpc";
+			const mod_path = root + "/server";
 			const mod = require( mod_path );
 			try {
                 mod( msg, okay, fail, context );
@@ -96,7 +237,35 @@ function rpc_handler( root, msg, context, _okay, _fail ) {
 			}
 
         } catch( err ) {
-            fail( err );
+
+            // fall back to rpc folder - try explicit common js module
+            try {
+                const mod_path = root + "/rpc/index.cjs";
+                const mod = require( mod_path );
+                try {
+                    mod( msg, okay, fail, context );
+                } catch( err ) {
+                    fail( err ); 
+                }
+
+            } catch( err ) {
+
+                // fall back to rpc folder - try loading it the old way using the dir
+                try {
+                    const mod_path = root + "/rpc";
+                    const mod = require( mod_path );
+                    try {
+                        mod( msg, okay, fail, context );
+                    } catch( err ) {
+                        fail( err );
+                    }
+
+                } catch( err ) {
+                    fail( err );
+                }
+
+            }
+
         }
 
 	}
@@ -106,7 +275,10 @@ function rpc_handler( root, msg, context, _okay, _fail ) {
 // Glue function to call rpc handler module and then return response
 // via the websockets msg object
 function ws_msg_handler( root, msg, host, connection ) {
-	rpc_handler( root, msg.msg, { transport_type: "WS", host, connection }, data => {
+	const { setCookie, clearCookie } = make_cookie_setters();
+	const cookies = connection.cookies || {};
+
+	rpc_handler( root, msg.msg, { transport_type: "WS", host, connection, cookies, setCookie, clearCookie }, data => {
 		msg.reply( data );
 	}, err => {
 		msg.error( err || "Unspecified Error" );
@@ -121,6 +293,75 @@ function populate_query( req, res, next ) {
 }
 
 
+// Rate limiting middleware
+function rate_limit( req, res, next ) {
+	const ip = req.socket.remoteAddress || "unknown";
+	const now = Date.now();
+	
+	let limitData = rateLimitStore.get( ip );
+	if( ! limitData || now > limitData.resetTime ) {
+		limitData = { count: 0, resetTime: now + RATE_LIMIT_WINDOW_MS };
+		rateLimitStore.set( ip, limitData );
+	}
+	
+	limitData.count++;
+	
+	if( limitData.count > RATE_LIMIT_MAX_REQUESTS ) {
+		W( "Rate limit exceeded for IP: " + ip + " (" + limitData.count + " requests)" );
+		res.writeHead( 429, {
+			"Content-Type": "application/json",
+			"Retry-After": Math.ceil( ( limitData.resetTime - now ) / 1000 ),
+		} );
+		res.write( o2j( { error: "Too many requests" } ) );
+		res.end();
+		return;
+	}
+	
+	next();
+}
+
+
+// Request timeout middleware
+function timeout_middleware( req, res, next ) {
+	const timeout = setTimeout( function( ) {
+		if( ! res.headersSent ) {
+			W( "Request timeout for " + req.method + " " + req.url );
+			res.writeHead( 408, { "Content-Type": "application/json" } );
+			res.write( o2j( { error: "Request timeout" } ) );
+			res.end();
+		}
+	}, REQUEST_TIMEOUT_MS );
+	
+	res.on( "finish", function( ) {
+		clearTimeout( timeout );
+	} );
+	
+	next();
+}
+
+
+// Per-IP connection limit check
+function check_ip_connection_limit( ip ) {
+	const count = ipConnections.get( ip ) || 0;
+	if( count >= MAX_CONNECTIONS_PER_IP ) {
+		return false;
+	}
+	ipConnections.set( ip, count + 1 );
+	return true;
+}
+
+
+function release_ip_connection( ip ) {
+	const count = ipConnections.get( ip ) || 0;
+	if( count > 0 ) {
+		ipConnections.set( ip, count - 1 );
+		if( count === 1 ) {
+			ipConnections.delete( ip );
+		}
+	}
+}
+
+
 // Simple logging handler
 function logger( req, res, next ) {
     const host = req.headers[ "host" ];
@@ -131,6 +372,92 @@ function logger( req, res, next ) {
 }
 
 
+// CSRF protection middleware using double-submit cookie pattern
+function csrf_protection( root ) {
+	return function( req, res, next ) {
+		const cookies = parse_cookies( req.headers[ "cookie" ] );
+		const { setCookie } = make_cookie_setters( res );
+		const host = req.headers[ "host" ];
+		const method = req.method;
+		const url = req.url.split( "?" ).shift();
+
+		// Generate CSRF token if it doesn't exist
+		if( ! cookies.csrf_token ) {
+			const token = generate_csrf_token();
+			const cookieOptions = {
+				sameSite: "Strict",
+				path: "/",
+				maxAge: 86400 * 365, // 1 year
+			};
+			// Set Secure flag in TLS mode (when not in dev mode)
+			if( ! dev_mode ) {
+				cookieOptions.secure = true;
+			}
+			setCookie( "csrf_token", token, cookieOptions );
+			cookies.csrf_token = token;
+		}
+
+		// Skip validation for GET requests, WebSocket upgrades, and static files
+		if( method === "GET" ) {
+			next();
+			return;
+		}
+
+		// Only validate POST and PUT requests to /rpc or any PUT request
+		const is_rpc = ( url === "/rpc" || url === "/rpc/" );
+		const is_put = ( method === "PUT" );
+
+		if( ! is_rpc && ! is_put ) {
+			next();
+			return;
+		}
+
+		// Validate CSRF token (double-submit cookie pattern)
+		const cookieToken = cookies.csrf_token;
+		const headerToken = req.headers[ "x-csrf-token" ];
+
+		if( ! cookieToken || ! headerToken || cookieToken !== headerToken ) {
+			W( "CSRF token validation failed for " + method + " " + url );
+			res.writeHead( 403, {
+				"Content-Type": "application/json",
+				"Cache-Control": "no-store",
+			} );
+			res.write( o2j( { error: "CSRF token validation failed" } ) );
+			res.end();
+			return;
+		}
+
+		// Additional Origin/Referer validation
+		const origin = req.headers[ "origin" ];
+		const referer = req.headers[ "referer" ];
+		let originValid = false;
+
+		if( origin ) {
+			// Check if origin matches host (with protocol)
+			const expectedOrigin = ( dev_mode ? "http://" : "https://" ) + host;
+			originValid = origin === expectedOrigin;
+		} else if( referer ) {
+			// Fall back to Referer if Origin is missing
+			const expectedReferer = ( dev_mode ? "http://" : "https://" ) + host;
+			originValid = referer.startsWith( expectedReferer );
+		}
+
+		if( ! originValid ) {
+			W( "CSRF Origin/Referer validation failed for " + method + " " + url + " origin: " + origin + " referer: " + referer );
+			res.writeHead( 403, {
+				"Content-Type": "application/json",
+				"Cache-Control": "no-store",
+			} );
+			res.write( o2j( { error: "CSRF token validation failed" } ) );
+			res.end();
+			return;
+		}
+
+		next();
+	};
+}
+
+
 // Creates and returns a handler that intercepts and services requests to
 // the "/rpc" endpoint. In TLS mode only POST is allowed; in dev mode
 // GET is also allowed with query-string payloads.
@@ -160,7 +487,16 @@ function rpc_post( root ) {
         D( method + " >------> " + o2j( input, null, 2 ) );
 
         // Summon the rpc handler for the domain root.
-        rpc_handler( root, input, { transport_type: method, connection: { host: req.headers[ "host" ], req, res, } } , output => {
+		const cookies = parse_cookies( req.headers[ "cookie" ] );
+		const { setCookie, clearCookie } = make_cookie_setters( res );
+
+        rpc_handler( root, input, {
+			transport_type: method,
+			connection: { host: req.headers[ "host" ], req, res, },
+			cookies,
+			setCookie,
+			clearCookie,
+		} , output => {
             res.writeHead( 200, {
                 "Content-Type": "application/json",
                 "Cache-Control": "no-store",
@@ -168,11 +504,13 @@ function rpc_post( root ) {
             D( method + " <------< " + o2j( output, null, 2 ) );
             res.write( o2j( output ) );
             res.end();
-        }, () => {
+        }, ( err ) => {
+            const error_message = err && err.message ? err.message : ( err || "Internal server error" );
             res.writeHead( 500, {
                 "Content-Type": "application/json",
                 "Cache-Control": "no-store",
             } );
+            res.write( o2j( { error: error_message } ) );
             res.end();
         } );
     };
@@ -290,11 +628,13 @@ function put_handler( req, res, next ) {
 // default (basic) functionality.
 function basic_handler( root ) {
 	const app = connect();
+	app.use( timeout_middleware );
+	app.use( rate_limit );
 	app.use( body_parser );
 	app.use( compression );
-	app.use( cors );        // allow requests from other domains
 	app.use( populate_query );
 	app.use( logger );
+	app.use( csrf_protection( root ) );
     app.use( put_handler )
     app.use( rpc_post( root ) );
 	app.use( rpc_static );
@@ -310,7 +650,39 @@ const cached_basic_handlers = {};
 // Handle REST calls (as opposed to websocket messages)
 function rest_handler( root, req, rsp ) {
 
-	const remote_ip = req.socket.remoteAddress;
+	const remote_ip = req.socket.remoteAddress || "unknown";
+	
+	// Check total connection limit
+	if( totalConnections >= MAX_CONNECTIONS_TOTAL ) {
+		W( "Max connections exceeded: " + totalConnections );
+		rsp.writeHead( 503, { "Content-Type": "application/json" } );
+		rsp.write( o2j( { error: "Service temporarily unavailable" } ) );
+		rsp.end();
+		return;
+	}
+	
+	// Check per-IP connection limit
+	if( ! check_ip_connection_limit( remote_ip ) ) {
+		W( "Max connections per IP exceeded for: " + remote_ip );
+		rsp.writeHead( 503, { "Content-Type": "application/json" } );
+		rsp.write( o2j( { error: "Too many connections from this IP" } ) );
+		rsp.end();
+		return;
+	}
+	
+	totalConnections++;
+	
+	// Release connection tracking on response finish
+	rsp.on( "finish", function( ) {
+		totalConnections--;
+		release_ip_connection( remote_ip );
+	} );
+	
+	rsp.on( "close", function( ) {
+		totalConnections--;
+		release_ip_connection( remote_ip );
+	} );
+
 	I( remote_ip + " " + req.headers[ "host" ] + ": " + req.method + " " + req.url );
 	D( "rest_handler root: " + root );
 
@@ -357,9 +729,50 @@ function ws_attach( server, msg_handler ) {
 
 		V( "WS: connection request from "+wsreq.remoteAddress+" "+wsreq.resource )
 	
+		const remote_ip = wsreq.remoteAddress || "unknown";
+		
+		// Check WebSocket connection limit
+		if( activeWSConnections >= MAX_WS_CONNECTIONS ) {
+			W( "Max WebSocket connections exceeded: " + activeWSConnections );
+			wsreq.reject( 503, "Too many WebSocket connections" );
+			return;
+		}
+		
+		// Check per-IP connection limit
+		if( ! check_ip_connection_limit( remote_ip ) ) {
+			W( "Max connections per IP exceeded for WebSocket: " + remote_ip );
+			wsreq.reject( 503, "Too many connections from this IP" );
+			return;
+		}
+		
+		// Check total connection limit
+		if( totalConnections >= MAX_CONNECTIONS_TOTAL ) {
+			W( "Max total connections exceeded: " + totalConnections );
+			wsreq.reject( 503, "Service temporarily unavailable" );
+			return;
+		}
+		
+		activeWSConnections++;
+		totalConnections++;
+	
 		const host = wsreq.httpRequest.headers[ "host" ];
+		const cookies = parse_cookies( wsreq.httpRequest.headers[ "cookie" ] );
+		const origin = wsreq.origin;
+
+		// Validate WebSocket origin matches host
+		if( origin ) {
+			const expectedOrigin = ( dev_mode ? "http://" : "https://" ) + host;
+			if( origin !== expectedOrigin ) {
+				W( "WS: Origin validation failed: " + origin + " expected: " + expectedOrigin );
+				activeWSConnections--;
+				totalConnections--;
+				release_ip_connection( remote_ip );
+				wsreq.reject( 403, "Origin validation failed" );
+				return;
+			}
+		}
 
-		const socket = wsreq.accept( null, wsreq.origin || "*" );
+		const socket = wsreq.accept( null, origin || host );
 
 		const name = "ws-conn-" + next_seq();       // XXX just use the websocket id
 
@@ -373,20 +786,33 @@ function ws_attach( server, msg_handler ) {
 			socket.send( o2j( msg ) ); 
 		};
 
-		const conn = { name, socket, send };
+		const conn = { name, socket, send, cookies };
 
 		socket.on( "error", function( err ) {
 			E( "WS: error", err.stack || err );
+			activeWSConnections--;
+			totalConnections--;
+			release_ip_connection( remote_ip );
 		});
 
 		socket.on("close", function() {
 			D( "WS: disconnect" );
+			activeWSConnections--;
+			totalConnections--;
+			release_ip_connection( remote_ip );
 		});
 
 		// incoming msgs from client come through here
 		socket.on( "message", function( x ) {
 			D( "WS >------> "+x.utf8Data );
 
+			// Check WebSocket message size
+			if( x.utf8Data && x.utf8Data.length > MAX_RPC_MESSAGE_SIZE ) {
+				W( "WS message too large: " + x.utf8Data.length + " bytes (max: " + MAX_RPC_MESSAGE_SIZE + ")" );
+				socket.close( 1009, "Message too large" );
+				return;
+			}
+
 			const json = x.utf8Data;			// raw message is a utf8 string
 			const msg_in = j2o( json );
 			if( msg_in == null ) {
@@ -433,7 +859,9 @@ if( argv.length == 2 ) {
 
 		L( toInt( VERBOSITY ) );
 
+		const pkg = require( __dirname + "/package.json" );
 		I( "=== TLS MODE ===" );
+		I( "Version: " + pkg.version );
 		V( "DOMAINS_ROOT: " + DOMAINS_ROOT );
 		V( "MAINTAINER_EMAIL: " + MAINTAINER_EMAIL );
 		V( "VERBOSITY: " + VERBOSITY );
@@ -446,6 +874,12 @@ if( argv.length == 2 ) {
 		} ).ready( glx => {
 
 			var server = glx.httpsServer();
+			
+			// Configure server timeouts and connection limits
+			server.maxConnections = MAX_CONNECTIONS_TOTAL;
+			server.timeout = SERVER_TIMEOUT_MS;
+			server.keepAliveTimeout = KEEP_ALIVE_TIMEOUT_MS;
+			server.headersTimeout = HEADERS_TIMEOUT_MS;
 
 			ws_attach( server, function( msg, connection, host ) {
 				const root = path.resolve( DOMAINS_ROOT + "/" + host );
@@ -480,7 +914,9 @@ if( argv.length == 5 ) {
 
 		SITE_ROOT = path.resolve( SITE_ROOT );
 
+		const pkg = require( __dirname + "/package.json" );
 		I( "=== DEV MODE ===" );
+		I( "Version: " + pkg.version );
 		V( "VERBOSITY: " + VERBOSITY );
 		V( "SITE_ROOT: " + SITE_ROOT );
 		V( "PORT: " + PORT );
@@ -488,6 +924,12 @@ if( argv.length == 5 ) {
 		const server = http.createServer( ( req, res ) => {
 			rest_handler( SITE_ROOT, req, res );
 		} );
+		
+		// Configure server timeouts and connection limits
+		server.maxConnections = MAX_CONNECTIONS_TOTAL;
+		server.timeout = SERVER_TIMEOUT_MS;
+		server.keepAliveTimeout = KEEP_ALIVE_TIMEOUT_MS;
+		server.headersTimeout = HEADERS_TIMEOUT_MS;
 
         ws_attach( server, ( msg, connection, host ) => {
             ws_msg_handler( SITE_ROOT, msg, host, connection );
@@ -508,7 +950,8 @@ if( argv.length == 3 && argv[ 2 ] == "-v" ) {
 
 	// pull package version from package.json and print it
 	const p = require( __dirname + "/package.json" );
-	I( p.version );
+	console.log( p.version );
+    process.exit();
 
 }
 else {