fix: round 10 critical fixes - WebSocket race, rate limiting, XSS protection, Caddyfile, and input validation

backend/gateway/internal/router/router.go

@@ -52,11 +52,14 @@ func Setup(r *gin.Engine, hub *ws.Hub, cfg *config.Config, sessionStore *store.S
 		})
 	})
 
+	// 认证路由专用限流器：每分钟每个IP每个端点最多5次请求（防暴力破解）
+	authRateLimiter := middleware.NewRateLimiter(0.083, 5) // ~5 per minute per IP+endpoint
+
 	// 认证 (无需JWT)
 	auth := api.Group("/auth")
 	{
-		auth.POST("/register", authHandler.Register)
-		auth.POST("/login", authHandler.Login)
+		auth.POST("/register", authRateLimiter.HandlerWithKey(middleware.AuthIPKey("register")), authHandler.Register)
+		auth.POST("/login", authRateLimiter.HandlerWithKey(middleware.AuthIPKey("login")), authHandler.Login)
 	}
 
 	// ========== 需要认证的路由 ==========