15 tests demonstrate how Signando HTTP validates URL paths against the policy and blocks path traversal attacks.
Path allowlist is defined in the policy.yaml file:
# policy.yaml
paths:
- pattern: "/index.html"
methods: ["GET", "HEAD"]
- pattern: "/static/*"
methods: ["GET"]
- pattern: "/api/users"
methods: ["GET", "POST"]
- pattern: "/api/users/{id}"
methods: ["GET", "PUT", "DELETE"]curl -X GET http://localhost:8080/index.htmlHTTP/1.1 200 OK
Content-Type: text/html
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
...The path /index.html is defined in the policy allowlist. Signando HTTP validates that the path matches a defined pattern and forwards the request to the backend.
curl -X GET http://localhost:8080/adminHTTP/1.1 403 Forbidden
Content-Type: application/json
{"error": "Path not allowed", "code": "PATH_NOT_IN_ALLOWLIST"}Signando HTTP works on the allowlist principle: Only paths explicitly defined in the policy are allowed. Undefined paths are rejected with 403 Forbidden.
curl -X GET http://localhost:8080/../etc/passwd HTTP/1.1 400 Bad Request
Content-Type: application/json
{"error": "Path traversal detected", "code": "PATH_TRAVERSAL_BLOCKED"}Path traversal attempts using ../ sequences are detected and blocked before reaching the backend. Both raw and URL-encoded variants are detected.
curl -X GET http://localhost:8080/static/%2e%2e/etc/passwd URL-encoded path traversal attempts (%2e = .) are also detected and blocked.