feat: optional API key auth via X-API-Key header or ?key= param

2026-04-21 12:11:23 +02:00
parent e7924f462e
commit efc9e6510c
2 changed files with 26 additions and 0 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -46,6 +46,24 @@ php -S localhost:8080 -t web/
 | `docker/start.sh` | Boots PHP-FPM, ChromeDriver, writes config |
 | `docker-compose.yml` | Production compose |

+## API Key
+
+Set `API_KEY` env var in docker-compose to require authentication on all `/api` requests.
+Leave unset (default) for open access.
+
+```bash
+# via header (preferred — not logged in access logs)
+curl -H "X-API-Key: your-secret-key" "http://host/api?url=https://example.com"
+
+# via query param
+curl "http://host/api?key=your-secret-key&url=https://example.com"
+```
+
+## SSRF Protection
+
+Set `BLOCK_PRIVATE_IPS=true` to reject requests to LAN, loopback, and cloud metadata IPs.
+Recommended when hosting publicly. Default is off (allows local/LAN addresses).
+
 ## Caveats

 - `web/index.php` has a `var_dump($cmd)` debug statement left in `http2pic.class.php:181` - remove before shipping.