fix: mitigate allowed redirect domain bypass (#174)

Before this change, it was possible to bypass go-httpbin's allowed
redirect domain configuration by passing an absolute URL without a
scheme (e.g. `//evil.com`) to the `/redirect-to` endpoint.

Fixes #173.

feat: support Fastly and Akamai headers for client IP addr (#167)

Add support for Fastly and Akamai custom headres to get a reasonable
value of the client ip address.

Co-authored-by: haccht <haccht@users.noreply.github.com>

feat: allow POST, PUT, DELETE, PATCH methods on /basic-auth endpoint (#…

…166)

feat: /status endpoint supports weighted choice (#162)

Fixes compatibility with the original httpbin by making the `/status`
endpoint accept multiple, optionally weighted status codes to choose
from. Per the description in #145, this implementation attempts to match
original httpbin's behavior:
- If not specified, weight is 1
- If specified, weights are parsed as floats, but there is no
   requirement that they sum to 1.0 or are otherwise limited to any
   particular range

Fixes #145.

fix: websocket conns do not require `Connection: upgrade` header (#161)

It turns out that the WebSocket API provided by browsers [1]
does not actually send the `Connection: upgrade` header that our
websocket implementation (wrongly?) requires, so here we're dropping
that requirement.

[1]: https://developer.mozilla.org/en-US/docs/Web/API/WebSocket

feat: add /sse endpoint to test Server-Sent Events (#160)

Each event is a "ping" that includes an incrementing integer ID and an
integer Unix timestamp with millisecond resolution:

    event: ping
    data: {"id":9,"timestamp":1702417925258}

Fixes #150.

fix: /base64 endpoint decodes both URL-safe and standard b64 encodings (

#153)

As reported in #152, the `/base64` endpoint can only decode the
"URL-safe" base64 encoding, but the error it returns is not very useful
if you're not already familiar with different base64 encoding variants.

Here we follow [Postel's law][1] and accept either the URL-safe or
standard encodings, while continuing to use the URL-safe variant
when encoding ourselves.

Fixes #152.

[1]: https://en.wikipedia.org/wiki/Robustness_principle

feat: special case CloudFlare client IP addrs (#148)

feat: allow filtering incoming request headers (#139)

Consistently parse and validate user-provided status codes (#137)

In testing out error handling after #135, I happened to stumble across
an unexpected panic for requests like `/status/1024` where the
user-provided status code is outside the legal bounds. So, here we take
a quick pass to ensure we're parsing and validating status codes the
same way everywhere.