docs: update README with new config keys; link security document

Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: I8820dfb50f2b236a66d1e57aa36b6b0d6a6a6964
2026-02-28 12:17:47 +03:00 · 2026-02-28 12:17:47 +03:00 · bffc6f4ec5
commit bffc6f4ec5
parent f812ca50b3
1 changed files with 53 additions and 42 deletions
--- a/docs/README.md
+++ b/docs/README.md
@ -186,7 +186,7 @@ development.
 <!--markdownlint-disable MD013 -->

 | Section         | Key                    | Default                                       | Description                                           |
-| --------------- | ---------------------- | --------------------------------------------- | ----------------------------------------- |
+| --------------- | ---------------------- | --------------------------------------------- | ----------------------------------------------------- |
 | `database`      | `url`                  | `postgresql://fc_ci:password@localhost/fc_ci` | PostgreSQL connection URL                             |
 | `database`      | `max_connections`      | `20`                                          | Maximum connection pool size                          |
 | `database`      | `min_connections`      | `5`                                           | Minimum idle connections                              |
@ -200,8 +200,9 @@ development.
 | `server`        | `api_key`              | none                                          | Optional legacy API key (prefer DB keys)              |
 | `server`        | `cors_permissive`      | `false`                                       | Allow all CORS origins                                |
 | `server`        | `allowed_origins`      | `[]`                                          | Allowed CORS origins list                             |
-| `server`        | `rate_limit_rps`       | none                                          | Requests per second limit                 |
-| `server`        | `rate_limit_burst`     | none                                          | Burst size for rate limiting              |
+| `server`        | `force_secure_cookies` | `false`                                       | Force Secure flag on cookies (enable for HTTPS proxy) |
+| `server`        | `rate_limit_rps`       | none                                          | Requests per second limit per IP (DoS protection)     |
+| `server`        | `rate_limit_burst`     | none                                          | Burst size for rate limiting (e.g., 20)               |
 | `evaluator`     | `poll_interval`        | `60`                                          | Seconds between git poll cycles                       |
 | `evaluator`     | `git_timeout`          | `600`                                         | Git operation timeout (seconds)                       |
 | `evaluator`     | `nix_timeout`          | `1800`                                        | Nix evaluation timeout (seconds)                      |
@ -300,6 +301,11 @@ proxy:
      server.host = "127.0.0.1";
      server.port = 3000;

+      # Security: enable when behind HTTPS reverse proxy
+      server.force_secure_cookies = true;
+      server.rate_limit_rps = 100;
+      server.rate_limit_burst = 20;
+
      evaluator.poll_interval = 300;
      evaluator.restrict_eval = true;
      queue_runner.workers = 8;
@ -369,6 +375,11 @@ Ensure the PostgreSQL server on the head node allows connections from builder
 machines via `pg_hba.conf` (the NixOS `services.postgresql` module handles this
 with `authentication` settings).

+## Security
+
+FC implements multiple security layers to protect your CI infrastructure. See
+[the security document](./SECURITY.md) for more details.
+
 ## Authentication

 FC supports two authentication methods: