Docs: update security documentation and hardening notes

architecture.yml:
- Update header_handling: document built-in sensitive headers blacklist
- Expand security section with hardening measures
- Add socket permissions, path recommendations, environment variable

README.md:
- Add new 'Built-in Sensitive Headers Blacklist' section
- Document all blocked headers (Authorization, Cookie, X-Api-Key, etc.)
- Update socket security: permissions 0o660, /var/run path, group membership
- Add hardening features: path validation, JSON size limit, NULL checks, mutex
- Fix JSON example (remove extra closing brace)
- Update socket consumer example with secure permissions (0o660)
- Add MOD_REQIN_LOG_SOCKET environment variable to example
- Update Fields table: header_<Name> flat structure description
- Add note about automatic sensitive header exclusion

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

README.md

@@ -117,7 +117,6 @@ Each log entry is a single-line JSON object with a flat structure:
   "http_version": "HTTP/1.1",
   "header_X-Request-Id": "abcd-1234",
   "header_User-Agent": "curl/7.70.0"
-  }
 }
 ```
 
@@ -135,7 +134,9 @@ Each log entry is a single-line JSON object with a flat structure:
 | `path` | String | Request path |
 | `host` | String | Host header value |
 | `http_version` | String | HTTP protocol version |
-| `headers` | Object | Configured HTTP headers |
+| `header_<Name>` | String | Flattened HTTP headers (e.g., `header_X-Request-Id`) |
+
+**Note:** Headers are logged as flat fields at the root level (not nested). Sensitive headers are automatically excluded.
 
 ## Unix Socket Consumer
 
@@ -147,7 +148,7 @@ import socket
 import os
 import json
 
-SOCKET_PATH = "/var/run/mod_reqin_log.sock"
+SOCKET_PATH = os.environ.get("MOD_REQIN_LOG_SOCKET", "/var/run/mod_reqin_log.sock")
 
 # Remove existing socket file
 if os.path.exists(SOCKET_PATH):
@@ -157,7 +158,8 @@ if os.path.exists(SOCKET_PATH):
 server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
 server.bind(SOCKET_PATH)
 server.listen(5)
-os.chmod(SOCKET_PATH, 0o666)
+# Set secure permissions: owner and group only (not world-writable)
+os.chmod(SOCKET_PATH, 0o660)
 
 print(f"Listening on {SOCKET_PATH}")
 
@@ -178,13 +180,37 @@ while True:
     conn.close()
 ```
 
+**Note:** Ensure the Apache user is in the socket file's group to allow connections.
+
 ## Security Considerations
 
-⚠️ **Important**: This module logs all HTTP requests transparently. 
+### Built-in Sensitive Headers Blacklist
 
-- **Do not log sensitive headers**: Avoid including `Authorization`, `Cookie`, `X-Api-Key`, or other sensitive headers in `JsonSockLogHeaders`
-- **Socket permissions**: Ensure the Unix socket has appropriate file permissions
-- **Log consumer security**: Protect the socket consumer from unauthorized access
+⚠️ **The module automatically blocks logging of sensitive headers:**
+
+The following headers are **always excluded** from logs to prevent credential leakage:
+- `Authorization`
+- `Cookie`, `Set-Cookie`
+- `X-Api-Key`, `X-Auth-Token`
+- `Proxy-Authorization`
+- `WWW-Authenticate`
+
+These headers are silently skipped (logged at DEBUG level only).
+
+### Socket Security
+
+- **Socket permissions**: Default to `0o660` (owner and group only)
+- **Recommended path**: `/var/run/mod_reqin_log.sock` (not `/tmp`)
+- **Environment variable**: Use `MOD_REQIN_LOG_SOCKET` to configure path
+- **Group membership**: Ensure Apache user is in the socket's group
+
+### Additional Hardening
+
+- **Socket path length**: Validated against system limit (108 bytes max)
+- **JSON size limit**: 64KB max per log line (prevents memory DoS)
+- **NULL pointer checks**: All connection/request fields validated
+- **Thread safety**: Mutex protects socket FD in worker/event MPMs
+- **Error logging**: Generic messages in error_log, details at DEBUG level
 
 ## Troubleshooting