config: add security and performance sections to sample config; validate

Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: Ieda42bcbd09014c45fb14bee579f829c6a6a6964
2026-03-01 13:06:43 +03:00 · 2026-03-01 13:06:43 +03:00 · b2256183e1
commit b2256183e1
parent c3b77696aa
2 changed files with 121 additions and 16 deletions
--- a/config.example.yaml
+++ b/config.example.yaml
@ -8,13 +8,18 @@ site:
  # Options: "daily", "hourly"
  salt_rotation: "daily"

+  # Sampling rate (0.0 to 1.0, default: 1.0 = 100%)
+  # Use 0.1 to track 10% of traffic for high-volume sites
+  sampling: 1.0
+
  # Which dimensions to collect
  collect:
    pageviews: true
    country: true
    device: true
-    # Referrer collection mode: "off", "domain"
+    # Referrer collection mode: "off", "domain", "url"
    # "domain" - collect only the domain part (e.g., "google.com")
+    # "url" - collect full URL (not recommended - high cardinality)
    # "off" - don't collect referrer data
    referrer: "domain"

@ -32,7 +37,7 @@ site:
    strip_fragment: true
    # Collapse numeric segments to :id (e.g., /user/123 -> /user/:id)
    collapse_numeric_segments: true
-    # Maximum number of path segments to keep
+    # Maximum number of path segments to keep (0 = unlimited)
    max_segments: 5
    # Normalize trailing slashes (e.g., /page/ -> /page)
    normalize_trailing_slash: true
@ -43,8 +48,36 @@ limits:
  max_paths: 10000
  # Maximum number of unique referrer sources to track
  max_sources: 500
-  # Maximum events per minute (for rate limiting, not yet implemented)
-  max_events_per_minute: 1000
+  # Maximum number of unique custom event names to track
+  max_custom_events: 100
+  # Maximum events per minute (rate limiting, 0 = unlimited)
+  max_events_per_minute: 10000
+
+  # Device classification breakpoints (screen width in pixels)
+  device_breakpoints:
+    mobile: 768  # < 768px = mobile
+    tablet: 1024 # < 1024px = tablet, >= 1024px = desktop
+
+# Security settings
+security:
+  # Trusted proxy IPs/CIDRs - only trust X-Forwarded-For from these IPs
+  # Leave empty to never trust proxy headers
+  trusted_proxies:
+    - "127.0.0.1"
+    - "10.0.0.0/8"
+    # - "your-load-balancer-ip"
+
+  # CORS configuration for cross-origin tracking
+  cors:
+    enabled: false
+    allowed_origins:
+      - "*"  # Or specific domains: ["https://example.com", "https://www.example.com"]
+
+  # Basic authentication for /metrics endpoint
+  metrics_auth:
+    enabled: false
+    username: "admin"
+    password: "changeme"

 # Server configuration
 server: