fix: secure mutating and sensitive requests to HUD server

[nicksieger]

Require tokens on mutating and sensitive URLs from CLI, UI and websocket interfaces. Discourage use of/overriding the default localhost value of the --host flag.

Signed-off-by: Nick Sieger nick@nicksieger.com

Squashed commit of the following:

commit 6b6220c
Merge: bfb69e7 8e1ce55
Author: Nick Sieger nick@nicksieger.com
Date: Mon Jun 15 09:57:04 2026 -0500

Merge pull request #3 from nicksieger/no-origin-fallback

fix(hud): require CSRF token for HUD websocket upgrade

commit 8e1ce55
Author: mickael emirkanian mickael.emirkanian@docker.com
Date: Tue Jun 9 16:00:00 2026 -0400

fix(hud): require CSRF token for HUD websocket upgrade

The /ws/view CheckOrigin fell back to originCheck when no CSRF token was supplied, and originCheck returns true when the Origin header is absent, so a non-browser client that omits Origin could open the HUD websocket and read the full view stream (session state, Tiltfile contents, resource status) with no token. Drop the origin fallback and require the CSRF token, which is only obtainable from the requireToken-gated /api/websocket_token endpoint; the frontend already connects with ?csrf=<token>, so the only change is that a stale tab must reload to reconnect.

commit d0b2e48
Author: Nick Sieger nick@nicksieger.com
Date: Mon Jun 8 10:38:14 2026 -0500

docs(cli): reframe --host flag to discourage 0.0.0.0 binding

Replace "Set to 0.0.0.0 to listen on all interfaces" hint with
guidance that the default is localhost and users should only change
it if they need remote access and understand the security implications.

commit bfb69e7
Author: Nick Sieger nick@nicksieger.com
Date: Mon Jun 8 10:38:14 2026 -0500

docs(cli): reframe --host flag to discourage 0.0.0.0 binding

Replace "Set to 0.0.0.0 to listen on all interfaces" hint with
guidance that the default is localhost and users should only change
it if they need remote access and understand the security implications.

commit 9d15aeb
Merge: 7e7999e f4c02cf
Author: Nick Sieger nick@nicksieger.com
Date: Mon Jun 8 09:02:13 2026 -0500

Merge pull request #2 from nicksieger/security-unauthenticated-hud-server-2

Add a couple of endpoints

commit f4c02cf
Author: mickael emirkanian mickael.emirkanian@docker.com
Date: Fri Jun 5 20:58:21 2026 -0400

add tests

Signed-off-by: mickael emirkanian <mickael.emirkanian@docker.com>

commit af35915
Author: mickael emirkanian mickael.emirkanian@docker.com
Date: Fri Jun 5 20:58:19 2026 -0400

update /api/snapshot /api/websocket_token and  /proxy/*

Signed-off-by: mickael emirkanian <mickael.emirkanian@docker.com>

commit f57c5a8
Author: mickael emirkanian mickael.emirkanian@docker.com
Date: Fri Jun 5 20:58:17 2026 -0400

add TILT_DISABLE_HUD_AUTH opt-out

Signed-off-by: mickael emirkanian <mickael.emirkanian@docker.com>

commit 7e7999e
Author: Nick Sieger nick@nicksieger.com
Date: Fri Jun 5 15:12:08 2026 -0500

fix: we only need one origin check function

commit bd392b0
Author: Nick Sieger nick@nicksieger.com
Date: Fri Jun 5 14:58:12 2026 -0500

security(hud): protect /api/view and /api/dump/engine with token auth

- apply requireToken middleware to /api/view and /api/dump/engine
- update requireToken to accept token from X-Tilt-Token header or Tilt-Token cookie
- update CLI apiGet/apiPostJson to send X-Tilt-Token header using persisted token
- add tests for all requireToken auth paths

Signed-off-by: Nick Sieger <nick@nicksieger.com>

commit fef0d80
Author: Nick Sieger nick@nicksieger.com
Date: Fri Jun 5 13:39:53 2026 -0500

security(hud): restrict /debug/pprof to loopback connections

- Add loopbackOnly middleware that checks RemoteAddr and returns 403
  for any non-loopback source IP
- Wrap the /debug prefix on both the web router and the API router so
  pprof memory dumps and goroutine profiles are not reachable from the
  network when Tilt runs with --host 0.0.0.0

Signed-off-by: Nick Sieger <nick@nicksieger.com>

commit 83d11fd
Author: Nick Sieger nick@nicksieger.com
Date: Fri Jun 5 13:38:34 2026 -0500

security(hud): add Origin header validation middleware

- Reject any request whose Origin header is present but does not match
  the Host the client connected to
- Browsers always send Origin on cross-origin requests, so this blocks
  CSRF from network-reachable attackers (e.g. --host 0.0.0.0 mode)
  without affecting same-origin browser traffic or CLI tools
- Wired via mux.Use() so it covers the entire HUD router

Signed-off-by: Nick Sieger <nick@nicksieger.com>

commit 6479e60
Author: Nick Sieger nick@nicksieger.com
Signed-off-by: Nick Sieger nick@nicksieger.com
Date: Fri Jun 5 13:36:55 2026 -0500

security(hud): add SameSite=Strict cookie and requireToken middleware

- Set SameSite=Strict on Tilt-Token cookie; browsers will not send it
  on cross-site requests, blocking CSRF against mutation endpoints
- Add requireToken middleware: validates cookie value against store
  token, returns 403 on mismatch or absence
- Wrap /api/analytics, /api/analytics_opt, /api/trigger,
  /api/override/trigger_mode, and /api/set_tiltfile_args

Signed-off-by: Nick Sieger <nick@nicksieger.com>