Update security middleware and update Docker configurations

- Added a new parameter to the SecurityMiddleware function to allow custom handling of forbidden requests.
- Updated Docker configurations to enable asset caching for improved performance.
- Bumped version number in the Dockerfile to 0.3.0 and refined the image description for clarity.
- Adjusted various frontend components and error handling to support new rate limiting and forbidden access messages.
- Improved documentation in multiple languages to reflect recent changes in features and security measures.

Dockerfile

@@ -32,13 +32,13 @@ WORKDIR /app
 
 ARG BUILD_DATE
 ARG VCS_REF
-ARG VERSION="0.2.0"
+ARG VERSION="0.3.0"
 
 LABEL org.opencontainers.image.created=$BUILD_DATE \
       org.opencontainers.image.title="Software Station" \
-      org.opencontainers.image.description="A software distribution platform." \
+      org.opencontainers.image.description="A secure software distribution platform." \
       org.opencontainers.image.url="https://quad4.io" \
-      org.opencontainers.image.documentation="https://github.com/Quad4-Software/software-station/blob/main/README.md" \
+      org.opencontainers.image.documentation="https://git.quad4.io/Quad4-Software/software-station/src/branch/master/frontend/src/lib/docs" \
       org.opencontainers.image.source="https://github.com/Quad4-Software/software-station" \
       org.opencontainers.image.version=$VERSION \
       org.opencontainers.image.revision=$VCS_REF \

Makefile

@@ -1,4 +1,4 @@
-.PHONY: all build-frontend build-go build-wasm clean release run lint scan check format test test-wasm dev docker-build
+.PHONY: all build-frontend build-go build-wasm clean release run lint scan check format tidy test test-wasm dev docker-build
 
 BINARY_NAME=software-station
 FRONTEND_DIR=frontend
@@ -51,6 +51,8 @@ scan:
 check:
 	cd $(FRONTEND_DIR) && pnpm run check
 
+tidy: format lint check
+
 test: test-wasm
 	go test -v -coverpkg=./... ./...
 

docker-compose.coolify.yaml

@@ -12,6 +12,7 @@ services:
       CONFIG_PATH: /app/data/software.txt
       UA_BLOCKLIST_PATH: /app/data/ua-blocklist.txt
       ALLOWED_ORIGINS: https://software.quad4.io
+      CACHE_ASSETS: true
     volumes:
       - software-station-data:/app/data
       - software-station-cache:/app/.cache

docker-compose.yml

@@ -12,6 +12,7 @@ services:
       - GITEA_SERVER=${GITEA_SERVER:-https://git.quad4.io}
       - CONFIG_PATH=/app/data/software.txt
       - UA_BLOCKLIST_PATH=/app/data/ua-blocklist.txt
+      - CACHE_ASSETS=true
     security_opt:
       - no-new-privileges:true
     restart: unless-stopped

frontend/src/lib/components/SearchBar.svelte

@@ -5,10 +5,10 @@
 	let { searchQuery = $bindable('') }: { searchQuery?: string } = $props();
 </script>
 
-<div class="flex flex-col gap-4 md:flex-row md:items-center md:justify-between">
+<div class="flex flex-col gap-3 sm:gap-4 md:flex-row md:items-center md:justify-between">
 	<div>
-		<h1 class="text-3xl font-bold tracking-tight">{$t('common.title')}</h1>
+		<h1 class="text-2xl sm:text-3xl font-bold tracking-tight">{$t('common.title')}</h1>
-		<p class="text-muted-foreground mt-1">{$t('common.subtitle')}</p>
+		<p class="text-sm sm:text-base text-muted-foreground mt-1">{$t('common.subtitle')}</p>
 	</div>
 	<div class="relative w-full md:w-72">
 		<Search class="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />

frontend/src/lib/docs/software/webnews.de.md

@@ -17,6 +17,7 @@ Web News ist ein auf Privatsphäre ausgerichteter, offline-fähiger RSS-Reader u
 ## Privatsphäre und Sicherheit
 
 Web News basiert auf einer "Zero-Knowledge"-Philosophie, um sicherzustellen, dass Benutzerdaten privat bleiben:
+
 - **Datensouveränität**: Ihre Leseliste und Ihr Verlauf verlassen niemals Ihr Gerät.
 - **Anonymer Zugriff**: Verwendet 16-stellige Kontonummern für den Serverzugriff anstelle von persönlichen Identifikatoren.
 - **Gehärtetes Backend**: Verfügt über integriertes Bot-Blocking, Ratenbegrenzung und sichere Token-Generierung.

frontend/src/lib/docs/software/webnews.it.md

@@ -17,6 +17,7 @@ Web News è un lettore RSS orientato alla privacy, progettato per funzionare off
 ## Privacy e sicurezza
 
 Web News è costruito su una filosofia "zero-knowledge" per garantire che i dati degli utenti rimangano privati:
+
 - **Sovranità dei dati**: La tua lista di lettura e la tua cronologia non lasciano mai il tuo dispositivo.
 - **Accesso anonimo**: Utilizza numeri di conto a 16 cifre per l'accesso al server invece di identificatori personali.
 - **Backend blindato**: Include blocco dei bot integrato, limitazione della frequenza e generazione di token sicuri.

frontend/src/lib/docs/software/webnews.md

@@ -17,6 +17,7 @@ Web News is a privacy-focused, offline-first RSS reader and full-text extractor.
 ## Privacy and Security
 
 Web News is built on a "zero-knowledge" philosophy to ensure user data remains private:
+
 - **Data Sovereignty**: Your reading list and history never leave your device.
 - **Anonymous Access**: Uses 16-digit account numbers for server access instead of personal identifiers.
 - **Hardened Backend**: Features built-in bot blocking, rate limiting, and secure token generation.

frontend/src/lib/docs/software/webnews.ru.md

@@ -17,6 +17,7 @@ Web News — это ориентированный на конфиденциал
 ## Конфиденциальность и безопасность
 
 Web News построен на философии «нулевого знания», чтобы гарантировать приватность пользовательских данных:
+
 - **Суверенитет данных**: Ваш список чтения и история никогда не покидают ваше устройство.
 - **Анонимный доступ**: Использует 16-значные номера счетов для доступа к серверу вместо личных идентификаторов.
 - **Защищенный бэкенд**: Встроенная блокировка ботов, ограничение скорости и безопасная генерация токенов.

frontend/src/lib/i18n/locales/de.json

@@ -35,7 +35,11 @@
 		"pageNotFound": "Seite nicht gefunden",
 		"pageNotFoundDesc": "Die gesuchte Seite wurde möglicherweise entfernt, ihr Name wurde geändert oder sie ist vorübergehend nicht verfügbar.",
 		"error": "Fehler",
-		"backHome": "Zurück zur Startseite"
+		"backHome": "Zurück zur Startseite",
+		"tooManyRequests": "Zu viele Anfragen",
+		"tooManyRequestsDesc": "Sie haben in kurzer Zeit zu viele Anfragen gesendet. Bitte warten Sie einen Moment und versuchen Sie es dann erneut.",
+		"forbidden": "Zugriff verweigert",
+		"forbiddenDesc": "Ihr Zugriff wurde von unserem Sicherheitssystem eingeschränkt. Dies kann aufgrund verdächtiger Muster oder automatisiertem Bot-Verhalten passieren."
 	},
 	"os": {
 		"windows": "Windows",

frontend/src/lib/i18n/locales/en.json

@@ -35,7 +35,11 @@
 		"pageNotFound": "Page Not Found",
 		"pageNotFoundDesc": "The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.",
 		"error": "Error",
-		"backHome": "Back to Home"
+		"backHome": "Back to Home",
+		"tooManyRequests": "Too Many Requests",
+		"tooManyRequestsDesc": "You've sent too many requests in a short period of time. Please slow down and try again later.",
+		"forbidden": "Access Denied",
+		"forbiddenDesc": "Your access has been restricted by our security system. This can happen due to suspicious patterns or automated bot behavior."
 	},
 	"os": {
 		"windows": "Windows",

frontend/src/lib/i18n/locales/it.json

@@ -35,7 +35,11 @@
 		"pageNotFound": "Pagina non trovata",
 		"pageNotFoundDesc": "La pagina che stai cercando potrebbe essere stata rimossa, aver cambiato nome o essere temporaneamente non disponibile.",
 		"error": "Errore",
-		"backHome": "Torna alla Home"
+		"backHome": "Torna alla Home",
+		"tooManyRequests": "Troppe richieste",
+		"tooManyRequestsDesc": "Hai inviato troppe richieste in un breve periodo di tempo. Per favore, rallenta e riprova più tardi.",
+		"forbidden": "Accesso negato",
+		"forbiddenDesc": "Il tuo accesso è stato limitato dal nostro sistema di sicurezza. Ciò può accadere a causa di pattern sospetti o comportamenti da bot automatizzati."
 	},
 	"os": {
 		"windows": "Windows",

frontend/src/lib/i18n/locales/ru.json

@@ -35,7 +35,11 @@
 		"pageNotFound": "Страница не найдена",
 		"pageNotFoundDesc": "Запрошенная страница могла быть удалена, ее название изменено или она временно недоступна.",
 		"error": "Ошибка",
-		"backHome": "На главную"
+		"backHome": "На главную",
+		"tooManyRequests": "Слишком много запросов",
+		"tooManyRequestsDesc": "Вы отправили слишком много запросов за короткий промежуток времени. Пожалуйста, подождите и попробуйте позже.",
+		"forbidden": "Доступ запрещен",
+		"forbiddenDesc": "Ваш доступ был ограничен нашей системой безопасности. Это может произойти из-за подозрительной активности или использования ботов."
 	},
 	"os": {
 		"windows": "Windows",

frontend/src/routes/+error.svelte

@@ -7,6 +7,8 @@
 	const message = $page.error?.message || $t('common.errorOccurred');
 
 	const is404 = status === 404;
+	const is429 = status === 429;
+	const is403 = status === 403;
 </script>
 
 <div class="flex flex-col items-center justify-center py-20 px-4 text-center">
@@ -14,6 +16,28 @@
 		<div class="absolute -inset-4 bg-primary/10 blur-3xl rounded-full"></div>
 		{#if is404}
 			<h1 class="text-9xl font-black text-primary/20 relative select-none">404</h1>
+		{:else if is429}
+			<div class="relative">
+				<h1 class="text-9xl font-black text-primary/20 relative select-none">429</h1>
+				<div class="absolute inset-0 flex items-center justify-center translate-y-4">
+					<div
+						class="bg-background/80 backdrop-blur-sm p-3 rounded-full shadow-xl border border-border"
+					>
+						<AlertCircle class="w-12 h-12 text-primary" />
+					</div>
+				</div>
+			</div>
+		{:else if is403}
+			<div class="relative">
+				<h1 class="text-9xl font-black text-destructive/20 relative select-none">403</h1>
+				<div class="absolute inset-0 flex items-center justify-center translate-y-4">
+					<div
+						class="bg-background/80 backdrop-blur-sm p-3 rounded-full shadow-xl border border-border"
+					>
+						<AlertCircle class="w-12 h-12 text-destructive" />
+					</div>
+				</div>
+			</div>
 		{:else}
 			<AlertCircle class="w-32 h-32 text-destructive relative opacity-20" />
 		{/if}
@@ -22,6 +46,10 @@
 	<h2 class="text-3xl font-bold mb-4">
 		{#if is404}
 			{$t('common.pageNotFound')}
+		{:else if is429}
+			{$t('common.tooManyRequests')}
+		{:else if is403}
+			{$t('common.forbidden')}
 		{:else}
 			{$t('common.error')} {status}
 		{/if}
@@ -30,6 +58,10 @@
 	<p class="text-muted-foreground max-w-md mb-8">
 		{#if is404}
 			{$t('common.pageNotFoundDesc')}
+		{:else if is429}
+			{$t('common.tooManyRequestsDesc')}
+		{:else if is403}
+			{$t('common.forbiddenDesc')}
 		{:else}
 			{message}
 		{/if}

frontend/src/routes/+layout.svelte

@@ -52,9 +52,9 @@
 	>
 		<nav class="border-b border-border bg-card/50 backdrop-blur-sm sticky top-0 z-50">
 			<div
-				class="max-w-[1600px] mx-auto px-4 sm:px-6 lg:px-8 h-16 flex items-center justify-between"
+				class="max-w-[1600px] mx-auto px-4 sm:px-6 lg:px-8 flex flex-col gap-3 md:h-16 md:flex-row md:items-center md:justify-between py-3 md:py-0"
 			>
-				<div class="flex items-center gap-3">
+				<div class="flex items-center gap-2 sm:gap-3 flex-wrap">
 					<img src="/logo.png" alt="Quad4 Logo" width="32" height="32" class="w-8 h-8 rounded-md" />
 					<a href="/" class="text-xl font-bold tracking-tight">Software Station</a>
 					<span class="text-muted-foreground mx-1">|</span>
@@ -71,11 +71,11 @@
 							: 'hover:text-primary'} transition-colors">Docs</a
 					>
 				</div>
-				<div class="flex items-center gap-4">
+				<div class="flex items-center gap-3 sm:gap-4 w-full md:w-auto justify-end">
 					{#if !verifierGloballyDisabled}
 						<button
 							onclick={() => ($verifierDisabled = !$verifierDisabled)}
-							class="hidden sm:flex p-2 rounded-lg hover:bg-accent transition-colors {$verifierDisabled
+							class="flex p-2 rounded-lg hover:bg-accent transition-colors {$verifierDisabled
 								? 'text-destructive'
 								: 'text-muted-foreground'}"
 							title={$verifierDisabled ? 'Verifier Disabled' : 'Verifier Enabled'}
@@ -129,22 +129,6 @@
 
 		<VerificationToasts />
 
-		{#if !verifierGloballyDisabled}
-			<button
-				onclick={() => ($verifierDisabled = !$verifierDisabled)}
-				class="sm:hidden fixed bottom-6 right-6 z-[100] p-4 rounded-full bg-primary text-primary-foreground shadow-2xl shadow-primary/30 transition-all active:scale-95 {$verifierDisabled
-					? 'bg-destructive shadow-destructive/30'
-					: ''}"
-				aria-label={$verifierDisabled ? 'Enable Verifier' : 'Disable Verifier'}
-			>
-				{#if $verifierDisabled}
-					<ShieldOff class="w-6 h-6" />
-				{:else}
-					<Shield class="w-6 h-6" />
-				{/if}
-			</button>
-		{/if}
-
 		{#if !page.url.pathname.startsWith('/docs')}
 			<footer class="border-t border-border mt-auto pt-6 pb-4">
 				<div class="max-w-[1600px] mx-auto px-4 text-center space-y-3">

frontend/src/routes/+page.svelte

@@ -42,14 +42,13 @@
 	);
 </script>
 
-<div class="space-y-8 min-h-[600px]">
+<div class="space-y-6 sm:space-y-8 min-h-[600px]">
-	<div class="h-[56px]">
+	<div class="pt-1 sm:pt-2">
-		<!-- Reserve space for SearchBar -->
 		<SearchBar bind:searchQuery />
 	</div>
 
 	{#if loading}
-		<div class="grid grid-cols-1 md:grid-cols-2 2xl:grid-cols-3 gap-6">
+		<div class="grid grid-cols-1 md:grid-cols-2 2xl:grid-cols-3 gap-5 sm:gap-6">
 			{#each Array(6) as _}
 				<div
 					class="flex flex-col h-[400px] rounded-xl border border-border bg-card overflow-hidden"
@@ -106,7 +105,7 @@
 			<p class="text-muted-foreground">{$t('common.tryAdjusting')}</p>
 		</div>
 	{:else}
-		<div class="grid grid-cols-1 md:grid-cols-2 2xl:grid-cols-3 gap-6">
+		<div class="grid grid-cols-1 md:grid-cols-2 2xl:grid-cols-3 gap-5 sm:gap-6">
 			{#each filteredSoftware as software}
 				<SoftwareCard {software} {expandedReleases} onToggleReleases={toggleReleases} />
 			{/each}

frontend/static/verifier/wasm_exec.js

@@ -2,22 +2,30 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-"use strict";
+'use strict';
 
 (() => {
 	const enosys = () => {
-		const err = new Error("not implemented");
+		const err = new Error('not implemented');
-		err.code = "ENOSYS";
+		err.code = 'ENOSYS';
 		return err;
 	};
 
 	if (!globalThis.fs) {
-		let outputBuf = "";
+		let outputBuf = '';
 		globalThis.fs = {
-			constants: { O_WRONLY: -1, O_RDWR: -1, O_CREAT: -1, O_TRUNC: -1, O_APPEND: -1, O_EXCL: -1, O_DIRECTORY: -1 }, // unused
+			constants: {
+				O_WRONLY: -1,
+				O_RDWR: -1,
+				O_CREAT: -1,
+				O_TRUNC: -1,
+				O_APPEND: -1,
+				O_EXCL: -1,
+				O_DIRECTORY: -1,
+			}, // unused
 			writeSync(fd, buf) {
 				outputBuf += decoder.decode(buf);
-				const nl = outputBuf.lastIndexOf("\n");
+				const nl = outputBuf.lastIndexOf('\n');
 				if (nl != -1) {
 					console.log(outputBuf.substring(0, nl));
 					outputBuf = outputBuf.substring(nl + 1);
@@ -32,81 +40,147 @@
 				const n = this.writeSync(fd, buf);
 				callback(null, n);
 			},
-			chmod(path, mode, callback) { callback(enosys()); },
+			chmod(path, mode, callback) {
-			chown(path, uid, gid, callback) { callback(enosys()); },
+				callback(enosys());
-			close(fd, callback) { callback(enosys()); },
+			},
-			fchmod(fd, mode, callback) { callback(enosys()); },
+			chown(path, uid, gid, callback) {
-			fchown(fd, uid, gid, callback) { callback(enosys()); },
+				callback(enosys());
-			fstat(fd, callback) { callback(enosys()); },
+			},
-			fsync(fd, callback) { callback(null); },
+			close(fd, callback) {
-			ftruncate(fd, length, callback) { callback(enosys()); },
+				callback(enosys());
-			lchown(path, uid, gid, callback) { callback(enosys()); },
+			},
-			link(path, link, callback) { callback(enosys()); },
+			fchmod(fd, mode, callback) {
-			lstat(path, callback) { callback(enosys()); },
+				callback(enosys());
-			mkdir(path, perm, callback) { callback(enosys()); },
+			},
-			open(path, flags, mode, callback) { callback(enosys()); },
+			fchown(fd, uid, gid, callback) {
-			read(fd, buffer, offset, length, position, callback) { callback(enosys()); },
+				callback(enosys());
-			readdir(path, callback) { callback(enosys()); },
+			},
-			readlink(path, callback) { callback(enosys()); },
+			fstat(fd, callback) {
-			rename(from, to, callback) { callback(enosys()); },
+				callback(enosys());
-			rmdir(path, callback) { callback(enosys()); },
+			},
-			stat(path, callback) { callback(enosys()); },
+			fsync(fd, callback) {
-			symlink(path, link, callback) { callback(enosys()); },
+				callback(null);
-			truncate(path, length, callback) { callback(enosys()); },
+			},
-			unlink(path, callback) { callback(enosys()); },
+			ftruncate(fd, length, callback) {
-			utimes(path, atime, mtime, callback) { callback(enosys()); },
+				callback(enosys());
+			},
+			lchown(path, uid, gid, callback) {
+				callback(enosys());
+			},
+			link(path, link, callback) {
+				callback(enosys());
+			},
+			lstat(path, callback) {
+				callback(enosys());
+			},
+			mkdir(path, perm, callback) {
+				callback(enosys());
+			},
+			open(path, flags, mode, callback) {
+				callback(enosys());
+			},
+			read(fd, buffer, offset, length, position, callback) {
+				callback(enosys());
+			},
+			readdir(path, callback) {
+				callback(enosys());
+			},
+			readlink(path, callback) {
+				callback(enosys());
+			},
+			rename(from, to, callback) {
+				callback(enosys());
+			},
+			rmdir(path, callback) {
+				callback(enosys());
+			},
+			stat(path, callback) {
+				callback(enosys());
+			},
+			symlink(path, link, callback) {
+				callback(enosys());
+			},
+			truncate(path, length, callback) {
+				callback(enosys());
+			},
+			unlink(path, callback) {
+				callback(enosys());
+			},
+			utimes(path, atime, mtime, callback) {
+				callback(enosys());
+			},
 		};
 	}
 
 	if (!globalThis.process) {
 		globalThis.process = {
-			getuid() { return -1; },
+			getuid() {
-			getgid() { return -1; },
+				return -1;
-			geteuid() { return -1; },
+			},
-			getegid() { return -1; },
+			getgid() {
-			getgroups() { throw enosys(); },
+				return -1;
+			},
+			geteuid() {
+				return -1;
+			},
+			getegid() {
+				return -1;
+			},
+			getgroups() {
+				throw enosys();
+			},
 			pid: -1,
 			ppid: -1,
-			umask() { throw enosys(); },
+			umask() {
-			cwd() { throw enosys(); },
+				throw enosys();
-			chdir() { throw enosys(); },
+			},
-		}
+			cwd() {
+				throw enosys();
+			},
+			chdir() {
+				throw enosys();
+			},
+		};
 	}
 
 	if (!globalThis.path) {
 		globalThis.path = {
 			resolve(...pathSegments) {
-				return pathSegments.join("/");
+				return pathSegments.join('/');
-			}
+			},
-		}
+		};
 	}
 
 	if (!globalThis.crypto) {
-		throw new Error("globalThis.crypto is not available, polyfill required (crypto.getRandomValues only)");
+		throw new Error(
+			'globalThis.crypto is not available, polyfill required (crypto.getRandomValues only)'
+		);
 	}
 
 	if (!globalThis.performance) {
-		throw new Error("globalThis.performance is not available, polyfill required (performance.now only)");
+		throw new Error(
+			'globalThis.performance is not available, polyfill required (performance.now only)'
+		);
 	}
 
 	if (!globalThis.TextEncoder) {
-		throw new Error("globalThis.TextEncoder is not available, polyfill required");
+		throw new Error('globalThis.TextEncoder is not available, polyfill required');
 	}
 
 	if (!globalThis.TextDecoder) {
-		throw new Error("globalThis.TextDecoder is not available, polyfill required");
+		throw new Error('globalThis.TextDecoder is not available, polyfill required');
 	}
 
-	const encoder = new TextEncoder("utf-8");
+	const encoder = new TextEncoder('utf-8');
-	const decoder = new TextDecoder("utf-8");
+	const decoder = new TextDecoder('utf-8');
 
 	globalThis.Go = class {
 		constructor() {
-			this.argv = ["js"];
+			this.argv = ['js'];
 			this.env = {};
 			this.exit = (code) => {
 				if (code !== 0) {
-					console.warn("exit code:", code);
+					console.warn('exit code:', code);
 				}
 			};
 			this._exitPromise = new Promise((resolve) => {
@@ -119,17 +193,17 @@
 			const setInt64 = (addr, v) => {
 				this.mem.setUint32(addr + 0, v, true);
 				this.mem.setUint32(addr + 4, Math.floor(v / 4294967296), true);
-			}
+			};
 
 			const setInt32 = (addr, v) => {
 				this.mem.setUint32(addr + 0, v, true);
-			}
+			};
 
 			const getInt64 = (addr) => {
 				const low = this.mem.getUint32(addr + 0, true);
 				const high = this.mem.getInt32(addr + 4, true);
 				return low + high * 4294967296;
-			}
+			};
 
 			const loadValue = (addr) => {
 				const f = this.mem.getFloat64(addr, true);
@@ -142,12 +216,12 @@
 
 				const id = this.mem.getUint32(addr, true);
 				return this._values[id];
-			}
+			};
 
 			const storeValue = (addr, v) => {
-				const nanHead = 0x7FF80000;
+				const nanHead = 0x7ff80000;
 
-				if (typeof v === "number" && v !== 0) {
+				if (typeof v === 'number' && v !== 0) {
 					if (isNaN(v)) {
 						this.mem.setUint32(addr + 4, nanHead, true);
 						this.mem.setUint32(addr, 0, true);
@@ -175,30 +249,30 @@
 				this._goRefCounts[id]++;
 				let typeFlag = 0;
 				switch (typeof v) {
-					case "object":
+					case 'object':
 						if (v !== null) {
 							typeFlag = 1;
 						}
 						break;
-					case "string":
+					case 'string':
 						typeFlag = 2;
 						break;
-					case "symbol":
+					case 'symbol':
 						typeFlag = 3;
 						break;
-					case "function":
+					case 'function':
 						typeFlag = 4;
 						break;
 				}
 				this.mem.setUint32(addr + 4, nanHead | typeFlag, true);
 				this.mem.setUint32(addr, id, true);
-			}
+			};
 
 			const loadSlice = (addr) => {
 				const array = getInt64(addr + 0);
 				const len = getInt64(addr + 8);
 				return new Uint8Array(this._inst.exports.mem.buffer, array, len);
-			}
+			};
 
 			const loadSliceOfValues = (addr) => {
 				const array = getInt64(addr + 0);
@@ -208,18 +282,18 @@
 					a[i] = loadValue(array + i * 8);
 				}
 				return a;
-			}
+			};
 
 			const loadString = (addr) => {
 				const saddr = getInt64(addr + 0);
 				const len = getInt64(addr + 8);
 				return decoder.decode(new DataView(this._inst.exports.mem.buffer, saddr, len));
-			}
+			};
 
 			const testCallExport = (a, b) => {
 				this._inst.exports.testExport0();
 				return this._inst.exports.testExport(a, b);
-			}
+			};
 
 			const timeOrigin = Date.now() - performance.now();
 			this.importObject = {
@@ -234,7 +308,7 @@
 					// This changes the SP, thus we have to update the SP used by the imported function.
 
 					// func wasmExit(code int32)
-					"runtime.wasmExit": (sp) => {
+					'runtime.wasmExit': (sp) => {
 						sp >>>= 0;
 						const code = this.mem.getInt32(sp + 8, true);
 						this.exited = true;
@@ -247,7 +321,7 @@
 					},
 
 					// func wasmWrite(fd uintptr, p unsafe.Pointer, n int32)
-					"runtime.wasmWrite": (sp) => {
+					'runtime.wasmWrite': (sp) => {
 						sp >>>= 0;
 						const fd = getInt64(sp + 8);
 						const p = getInt64(sp + 16);
@@ -256,47 +330,50 @@
 					},
 
 					// func resetMemoryDataView()
-					"runtime.resetMemoryDataView": (sp) => {
+					'runtime.resetMemoryDataView': (sp) => {
 						sp >>>= 0;
 						this.mem = new DataView(this._inst.exports.mem.buffer);
 					},
 
 					// func nanotime1() int64
-					"runtime.nanotime1": (sp) => {
+					'runtime.nanotime1': (sp) => {
 						sp >>>= 0;
 						setInt64(sp + 8, (timeOrigin + performance.now()) * 1000000);
 					},
 
 					// func walltime() (sec int64, nsec int32)
-					"runtime.walltime": (sp) => {
+					'runtime.walltime': (sp) => {
 						sp >>>= 0;
-						const msec = (new Date).getTime();
+						const msec = new Date().getTime();
 						setInt64(sp + 8, msec / 1000);
 						this.mem.setInt32(sp + 16, (msec % 1000) * 1000000, true);
 					},
 
 					// func scheduleTimeoutEvent(delay int64) int32
-					"runtime.scheduleTimeoutEvent": (sp) => {
+					'runtime.scheduleTimeoutEvent': (sp) => {
 						sp >>>= 0;
 						const id = this._nextCallbackTimeoutID;
 						this._nextCallbackTimeoutID++;
-						this._scheduledTimeouts.set(id, setTimeout(
+						this._scheduledTimeouts.set(
-							() => {
+							id,
-								this._resume();
+							setTimeout(
-								while (this._scheduledTimeouts.has(id)) {
+								() => {
-									// for some reason Go failed to register the timeout event, log and try again
-									// (temporary workaround for https://github.com/golang/go/issues/28975)
-									console.warn("scheduleTimeoutEvent: missed timeout event");
 									this._resume();
-								}
+									while (this._scheduledTimeouts.has(id)) {
-							},
+										// for some reason Go failed to register the timeout event, log and try again
-							getInt64(sp + 8),
+										// (temporary workaround for https://github.com/golang/go/issues/28975)
-						));
+										console.warn('scheduleTimeoutEvent: missed timeout event');
+										this._resume();
+									}
+								},
+								getInt64(sp + 8)
+							)
+						);
 						this.mem.setInt32(sp + 16, id, true);
 					},
 
 					// func clearTimeoutEvent(id int32)
-					"runtime.clearTimeoutEvent": (sp) => {
+					'runtime.clearTimeoutEvent': (sp) => {
 						sp >>>= 0;
 						const id = this.mem.getInt32(sp + 8, true);
 						clearTimeout(this._scheduledTimeouts.get(id));
@@ -304,13 +381,13 @@
 					},
 
 					// func getRandomData(r []byte)
-					"runtime.getRandomData": (sp) => {
+					'runtime.getRandomData': (sp) => {
 						sp >>>= 0;
 						crypto.getRandomValues(loadSlice(sp + 8));
 					},
 
 					// func finalizeRef(v ref)
-					"syscall/js.finalizeRef": (sp) => {
+					'syscall/js.finalizeRef': (sp) => {
 						sp >>>= 0;
 						const id = this.mem.getUint32(sp + 8, true);
 						this._goRefCounts[id]--;
@@ -323,13 +400,13 @@
 					},
 
 					// func stringVal(value string) ref
-					"syscall/js.stringVal": (sp) => {
+					'syscall/js.stringVal': (sp) => {
 						sp >>>= 0;
 						storeValue(sp + 24, loadString(sp + 8));
 					},
 
 					// func valueGet(v ref, p string) ref
-					"syscall/js.valueGet": (sp) => {
+					'syscall/js.valueGet': (sp) => {
 						sp >>>= 0;
 						const result = Reflect.get(loadValue(sp + 8), loadString(sp + 16));
 						sp = this._inst.exports.getsp() >>> 0; // see comment above
@@ -337,31 +414,31 @@
 					},
 
 					// func valueSet(v ref, p string, x ref)
-					"syscall/js.valueSet": (sp) => {
+					'syscall/js.valueSet': (sp) => {
 						sp >>>= 0;
 						Reflect.set(loadValue(sp + 8), loadString(sp + 16), loadValue(sp + 32));
 					},
 
 					// func valueDelete(v ref, p string)
-					"syscall/js.valueDelete": (sp) => {
+					'syscall/js.valueDelete': (sp) => {
 						sp >>>= 0;
 						Reflect.deleteProperty(loadValue(sp + 8), loadString(sp + 16));
 					},
 
 					// func valueIndex(v ref, i int) ref
-					"syscall/js.valueIndex": (sp) => {
+					'syscall/js.valueIndex': (sp) => {
 						sp >>>= 0;
 						storeValue(sp + 24, Reflect.get(loadValue(sp + 8), getInt64(sp + 16)));
 					},
 
 					// valueSetIndex(v ref, i int, x ref)
-					"syscall/js.valueSetIndex": (sp) => {
+					'syscall/js.valueSetIndex': (sp) => {
 						sp >>>= 0;
 						Reflect.set(loadValue(sp + 8), getInt64(sp + 16), loadValue(sp + 24));
 					},
 
 					// func valueCall(v ref, m string, args []ref) (ref, bool)
-					"syscall/js.valueCall": (sp) => {
+					'syscall/js.valueCall': (sp) => {
 						sp >>>= 0;
 						try {
 							const v = loadValue(sp + 8);
@@ -379,7 +456,7 @@
 					},
 
 					// func valueInvoke(v ref, args []ref) (ref, bool)
-					"syscall/js.valueInvoke": (sp) => {
+					'syscall/js.valueInvoke': (sp) => {
 						sp >>>= 0;
 						try {
 							const v = loadValue(sp + 8);
@@ -396,7 +473,7 @@
 					},
 
 					// func valueNew(v ref, args []ref) (ref, bool)
-					"syscall/js.valueNew": (sp) => {
+					'syscall/js.valueNew': (sp) => {
 						sp >>>= 0;
 						try {
 							const v = loadValue(sp + 8);
@@ -413,13 +490,13 @@
 					},
 
 					// func valueLength(v ref) int
-					"syscall/js.valueLength": (sp) => {
+					'syscall/js.valueLength': (sp) => {
 						sp >>>= 0;
 						setInt64(sp + 16, parseInt(loadValue(sp + 8).length));
 					},
 
 					// valuePrepareString(v ref) (ref, int)
-					"syscall/js.valuePrepareString": (sp) => {
+					'syscall/js.valuePrepareString': (sp) => {
 						sp >>>= 0;
 						const str = encoder.encode(String(loadValue(sp + 8)));
 						storeValue(sp + 16, str);
@@ -427,20 +504,20 @@
 					},
 
 					// valueLoadString(v ref, b []byte)
-					"syscall/js.valueLoadString": (sp) => {
+					'syscall/js.valueLoadString': (sp) => {
 						sp >>>= 0;
 						const str = loadValue(sp + 8);
 						loadSlice(sp + 16).set(str);
 					},
 
 					// func valueInstanceOf(v ref, t ref) bool
-					"syscall/js.valueInstanceOf": (sp) => {
+					'syscall/js.valueInstanceOf': (sp) => {
 						sp >>>= 0;
-						this.mem.setUint8(sp + 24, (loadValue(sp + 8) instanceof loadValue(sp + 16)) ? 1 : 0);
+						this.mem.setUint8(sp + 24, loadValue(sp + 8) instanceof loadValue(sp + 16) ? 1 : 0);
 					},
 
 					// func copyBytesToGo(dst []byte, src ref) (int, bool)
-					"syscall/js.copyBytesToGo": (sp) => {
+					'syscall/js.copyBytesToGo': (sp) => {
 						sp >>>= 0;
 						const dst = loadSlice(sp + 8);
 						const src = loadValue(sp + 32);
@@ -455,7 +532,7 @@
 					},
 
 					// func copyBytesToJS(dst ref, src []byte) (int, bool)
-					"syscall/js.copyBytesToJS": (sp) => {
+					'syscall/js.copyBytesToJS': (sp) => {
 						sp >>>= 0;
 						const dst = loadValue(sp + 8);
 						const src = loadSlice(sp + 16);
@@ -469,20 +546,21 @@
 						this.mem.setUint8(sp + 48, 1);
 					},
 
-					"debug": (value) => {
+					debug: (value) => {
 						console.log(value);
 					},
-				}
+				},
 			};
 		}
 
 		async run(instance) {
 			if (!(instance instanceof WebAssembly.Instance)) {
-				throw new Error("Go.run: WebAssembly.Instance expected");
+				throw new Error('Go.run: WebAssembly.Instance expected');
 			}
 			this._inst = instance;
 			this.mem = new DataView(this._inst.exports.mem.buffer);
-			this._values = [ // JS values that Go currently has references to, indexed by reference id
+			this._values = [
+				// JS values that Go currently has references to, indexed by reference id
 				NaN,
 				0,
 				null,
@@ -492,7 +570,8 @@
 				this,
 			];
 			this._goRefCounts = new Array(this._values.length).fill(Infinity); // number of references that Go has to a JS value, indexed by reference id
-			this._ids = new Map([ // mapping from JS values to reference ids
+			this._ids = new Map([
+				// mapping from JS values to reference ids
 				[0, 1],
 				[null, 2],
 				[true, 3],
@@ -500,7 +579,7 @@
 				[globalThis, 5],
 				[this, 6],
 			]);
-			this._idPool = [];   // unused ids that have been garbage collected
+			this._idPool = []; // unused ids that have been garbage collected
 			this.exited = false; // whether the Go program has exited
 
 			// Pass command line arguments and environment variables to WebAssembly by writing them to the linear memory.
@@ -508,7 +587,7 @@
 
 			const strPtr = (str) => {
 				const ptr = offset;
-				const bytes = encoder.encode(str + "\0");
+				const bytes = encoder.encode(str + '\0');
 				new Uint8Array(this.mem.buffer, offset, bytes.length).set(bytes);
 				offset += bytes.length;
 				if (offset % 8 !== 0) {
@@ -542,7 +621,7 @@
 			// Keep in sync with cmd/link/internal/ld/data.go:wasmMinDataAddr.
 			const wasmMinDataAddr = 4096 + 8192;
 			if (offset >= wasmMinDataAddr) {
-				throw new Error("total length of command line and environment variables exceeds limit");
+				throw new Error('total length of command line and environment variables exceeds limit');
 			}
 
 			this._inst.exports.run(argc, argv);
@@ -554,7 +633,7 @@
 
 		_resume() {
 			if (this.exited) {
-				throw new Error("Go program has already exited");
+				throw new Error('Go program has already exited');
 			}
 			this._inst.exports.resume();
 			if (this.exited) {
@@ -571,5 +650,5 @@
 				return event.result;
 			};
 		}
-	}
+	};
 })();

internal/security/security.go

@@ -193,7 +193,7 @@ func GetSafeHTTPClient(timeout time.Duration) *http.Client {
 	}
 }
 
-func SecurityMiddleware(s *stats.Service, bb *BotBlocker) func(http.Handler) http.Handler {
+func SecurityMiddleware(s *stats.Service, bb *BotBlocker, forbiddenHandler http.HandlerFunc) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			start := time.Now()
@@ -240,7 +240,11 @@ func SecurityMiddleware(s *stats.Service, bb *BotBlocker) func(http.Handler) htt
 				s.GlobalStats.Lock()
 				s.GlobalStats.BlockedRequests[fingerprint] = true
 				s.GlobalStats.Unlock()
-				http.Error(w, "Bots are not allowed", http.StatusForbidden)
+				if forbiddenHandler != nil {
+					forbiddenHandler(w, r)
+				} else {
+					http.Error(w, "Bots are not allowed", http.StatusForbidden)
+				}
 				return
 			}
 
@@ -250,7 +254,11 @@ func SecurityMiddleware(s *stats.Service, bb *BotBlocker) func(http.Handler) htt
 					s.GlobalStats.BlockedRequests[fingerprint] = true
 					s.GlobalStats.Unlock()
 					log.Printf("Blocked suspicious request: %s from %s (%s)", r.URL.String(), r.RemoteAddr, r.UserAgent())
-					http.Error(w, "Forbidden", http.StatusForbidden)
+					if forbiddenHandler != nil {
+						forbiddenHandler(w, r)
+					} else {
+						http.Error(w, "Forbidden", http.StatusForbidden)
+					}
 					return
 				}
 			}

internal/security/security_test.go

@@ -100,7 +100,7 @@ func TestGetRequestFingerprint(t *testing.T) {
 func TestSecurityMiddleware(t *testing.T) {
 	statsService := stats.NewService("test-hashes.json")
 	botBlocker := NewBotBlocker("")
-	handler := SecurityMiddleware(statsService, botBlocker)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := SecurityMiddleware(statsService, botBlocker, nil)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 

main.go

@@ -87,7 +87,38 @@ func main() {
 	r.Use(middleware.Logger)
 	r.Use(middleware.Recoverer)
 	r.Use(middleware.Compress(api.CompressionLevel))
-	r.Use(security.SecurityMiddleware(statsService, botBlocker))
+
+	contentStatic, err := fs.Sub(frontendBuild, "frontend/build")
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	serveIndex := func(w http.ResponseWriter, r *http.Request, status int) {
+		indexData, err := fs.ReadFile(contentStatic, "index.html")
+		if err != nil {
+			http.Error(w, "Index not found", http.StatusInternalServerError)
+			return
+		}
+
+		// Inject global configuration
+		html := string(indexData)
+		configJS := fmt.Sprintf("<script>window.VERIFIER_GLOBALLY_DISABLED = %v;</script>", *disableVerifier)
+		html = strings.Replace(html, "</head>", configJS+"</head>", 1)
+
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.WriteHeader(status)
+		_, _ = w.Write([]byte(html))
+	}
+
+	staticHandler := http.FileServer(http.FS(contentStatic))
+
+	r.Use(security.SecurityMiddleware(statsService, botBlocker, func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasPrefix(r.URL.Path, "/api") {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+		serveIndex(w, r, http.StatusForbidden)
+	}))
 
 	r.Use(httprate.Limit(
 		security.GlobalRateLimit,
@@ -95,6 +126,13 @@ func main() {
 		httprate.WithKeyFuncs(func(r *http.Request) (string, error) {
 			return security.GetRequestFingerprint(r, statsService), nil
 		}),
+		httprate.WithLimitHandler(func(w http.ResponseWriter, r *http.Request) {
+			if strings.HasPrefix(r.URL.Path, "/api") {
+				http.Error(w, "Too Many Requests", http.StatusTooManyRequests)
+				return
+			}
+			serveIndex(w, r, http.StatusTooManyRequests)
+		}),
 	))
 
 	r.Route("/api", func(r chi.Router) {
@@ -104,6 +142,9 @@ func main() {
 			httprate.WithKeyFuncs(func(r *http.Request) (string, error) {
 				return security.GetRequestFingerprint(r, statsService), nil
 			}),
+			httprate.WithLimitHandler(func(w http.ResponseWriter, r *http.Request) {
+				http.Error(w, "Too Many Requests", http.StatusTooManyRequests)
+			}),
 		))
 		r.Get("/software", apiServer.APISoftwareHandler)
 		r.Get("/download", apiServer.DownloadProxyHandler)
@@ -113,12 +154,6 @@ func main() {
 		r.Get("/rss", apiServer.RSSHandler)
 	})
 
-	contentStatic, err := fs.Sub(frontendBuild, "frontend/build")
-	if err != nil {
-		log.Fatal(err)
-	}
-	staticHandler := http.FileServer(http.FS(contentStatic))
-
 	r.Get("/*", func(w http.ResponseWriter, r *http.Request) {
 		path := r.URL.Path
 		if path == "/" {
@@ -147,18 +182,7 @@ func main() {
 				return
 			}
 
-			indexData, err := fs.ReadFile(contentStatic, "index.html")
+			serveIndex(w, r, http.StatusOK)
-			if err != nil {
-				http.Error(w, "Index not found", http.StatusInternalServerError)
-				return
-			}
-
-			// Inject global configuration
-			html := string(indexData)
-			configJS := fmt.Sprintf("<script>window.VERIFIER_GLOBALLY_DISABLED = %v;</script>", *disableVerifier)
-			html = strings.Replace(html, "</head>", configJS+"</head>", 1)
-
-			http.ServeContent(w, r, "index.html", time.Unix(0, 0), strings.NewReader(html))
 			return
 		}
 		if err := f.Close(); err != nil {

main_test.go

@@ -51,7 +51,7 @@ func TestMainHandlers(t *testing.T) {
 	apiServer := api.NewServer("", initialSoftware, statsService, true)
 
 	r := chi.NewRouter()
-	r.Use(security.SecurityMiddleware(statsService, botBlocker))
+	r.Use(security.SecurityMiddleware(statsService, botBlocker, nil))
 	r.Get("/api/software", apiServer.APISoftwareHandler)
 	r.Get("/api/stats", statsService.APIStatsHandler)
 	r.Get("/api/download", apiServer.DownloadProxyHandler)