@angular-helpers/security 21.3.0 → 21.4.1

package/README.md

@@ -76,6 +76,19 @@ Security package for Angular applications that prevents common attacks like ReDo
 - **Verified auto-clear**: reads back the clipboard before clearing to avoid clobbering unrelated content.
 - **Password-manager semantics**: default 15-second clear, configurable.
 
+### **Session Inactivity Monitor**
+
+- **NgZone-optimized**: DOM events tracked outside Angular change detection.
+- **Security interop**: Can automatically clear SecureStorage and SensitiveClipboard upon timeout.
+- **Warning states**: Configurable thresholds to warn users before expiration.
+
+### **Secure Cross-Window Messaging**
+
+- **HMAC-SHA-256 signatures**: Every message is signed; tampered payloads are discarded.
+- **Origin whitelist**: Messages from non-allowed origins are rejected before any crypto work.
+- **Anti-replay protection**: Envelope includes `timestamp + nonce`; messages older than 30s are discarded.
+- **SSR-safe**: No-op on the server — no `window` access.
+
 ### **Builder Pattern**
 
 - **Fluent API**: Intuitively build regular expressions.
@@ -568,6 +581,87 @@ export class ApiKeyPanel {
 The service reads the clipboard before clearing and skips the clear if the content no longer
 matches what was copied — so third-party copies by the user are never overwritten.
 
+### **SessionIdleService**
+
+```typescript
+import { SessionIdleService } from '@angular-helpers/security';
+
+export class AppComponent {
+  private sessionIdle = inject(SessionIdleService);
+
+  ngOnInit() {
+    this.sessionIdle.start({
+      timeoutMs: 15 * 60 * 1000, // 15 minutes
+      warningThresholdMs: 60 * 1000, // 1 minute warning
+      autoClearStorage: true,
+      autoClearClipboard: true,
+    });
+
+    // React to states
+    effect(() => {
+      if (this.sessionIdle.isWarning()) {
+        console.warn(`Session will expire in ${this.sessionIdle.timeRemaining()}ms`);
+      }
+    });
+
+    // React to timeout
+    this.sessionIdle.onTimeout.subscribe(() => {
+      this.authService.logout();
+    });
+  }
+}
+```
+
+The service tracks DOM events (`mousemove`, `keydown`, etc.) outside the Angular Zone to prevent change detection spam. It can automatically clear `SecureStorageService` and `SensitiveClipboardService` when the session times out.
+
+### **SecureMessageService**
+
+```typescript
+import { SecureMessageService, provideSecureMessage } from '@angular-helpers/security';
+
+// app.config.ts
+bootstrapApplication(AppComponent, {
+  providers: [provideSecureMessage()],
+});
+
+// parent-app.component.ts
+export class ParentComponent {
+  private channel = inject(SecureMessageService);
+
+  async ngOnInit() {
+    // 1. Generate a shared key (transport it to the iframe via a secure channel)
+    const key = await this.channel.generateChannelKey();
+
+    // 2. Configure: only accept messages from the iframe origin
+    this.channel.configure({
+      allowedOrigins: ['https://child-app.example.com'],
+      signingKey: key,
+    });
+
+    // 3. React to incoming messages
+    this.channel.messages$<{ type: string; payload: unknown }>().subscribe(({ data, origin }) => {
+      console.log('Verified message from', origin, data);
+    });
+
+    // 4. Or use the Signal for reactive UI
+    effect(() => {
+      const msg = this.channel.lastMessage()();
+      if (msg) console.log('Last message:', msg.data);
+    });
+  }
+
+  async sendToChild(iframe: HTMLIFrameElement) {
+    await this.channel.send(
+      iframe.contentWindow!,
+      { type: 'INIT', payload: { userId: 42 } },
+      'https://child-app.example.com', // targetOrigin — never '*'
+    );
+  }
+}
+```
+
+> **Key exchange**: `SecureMessageService` does not perform automatic key negotiation — transport the `CryptoKey` to the other context via a secure out-of-band channel (e.g., derive it from a shared secret using `WebCryptoService.generateHmacKey()` seeded by a passphrase). Once both sides share the key, all message integrity is handled automatically.
+
 ## 🔧 Advanced Configuration
 
 ### **Security Options**

package/fesm2022/angular-helpers-security.mjs

@@ -1,7 +1,8 @@
 import * as i0 from '@angular/core';
-import { inject, DestroyRef, Injectable, PLATFORM_ID, InjectionToken, signal, computed, makeEnvironmentProviders } from '@angular/core';
-import { isPlatformBrowser } from '@angular/common';
-import { Observable } from 'rxjs';
+import { inject, DestroyRef, Injectable, PLATFORM_ID, InjectionToken, signal, computed, NgZone, Injector, makeEnvironmentProviders } from '@angular/core';
+import { isPlatformBrowser, DOCUMENT } from '@angular/common';
+import { Observable, Subject, fromEvent, merge } from 'rxjs';
+import { throttleTime } from 'rxjs/operators';
 
 /**
  * Security service for regular expressions that prevents ReDoS
@@ -1349,6 +1350,20 @@ class SensitiveClipboardService {
             return 'read-denied';
         }
     }
+    /**
+     * Forcefully clears the clipboard unconditionally.
+     */
+    async clear() {
+        if (!this.isSupported())
+            return;
+        this.cancelPendingClear();
+        try {
+            await navigator.clipboard.writeText('');
+        }
+        catch {
+            // ignore
+        }
+    }
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SensitiveClipboardService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
     static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SensitiveClipboardService });
 }
@@ -1716,6 +1731,221 @@ function withCsrfHeader(options = {}) {
     };
 }
 
+const DEFAULT_EVENTS = ['mousemove', 'keydown', 'mousedown', 'touchstart', 'scroll'];
+class SessionIdleService {
+    ngZone = inject(NgZone);
+    document = inject(DOCUMENT);
+    injector = inject(Injector);
+    destroyRef = inject(DestroyRef);
+    _isIdle = signal(false, ...(ngDevMode ? [{ debugName: "_isIdle" }] : /* istanbul ignore next */ []));
+    _isWarning = signal(false, ...(ngDevMode ? [{ debugName: "_isWarning" }] : /* istanbul ignore next */ []));
+    _timeRemaining = signal(null, ...(ngDevMode ? [{ debugName: "_timeRemaining" }] : /* istanbul ignore next */ []));
+    _timeoutSubject = new Subject();
+    isIdle = this._isIdle.asReadonly();
+    isWarning = this._isWarning.asReadonly();
+    timeRemaining = this._timeRemaining.asReadonly();
+    onTimeout = this._timeoutSubject.asObservable();
+    config = null;
+    lastActivityTime = 0;
+    timerInterval = null;
+    eventSubscription;
+    constructor() {
+        this.destroyRef.onDestroy(() => this.stop());
+    }
+    start(config) {
+        this.stop();
+        this.config = config;
+        this._isIdle.set(false);
+        this._isWarning.set(false);
+        this._timeRemaining.set(config.timeoutMs);
+        this.lastActivityTime = Date.now();
+        const eventsToTrack = config.events || DEFAULT_EVENTS;
+        this.ngZone.runOutsideAngular(() => {
+            const observables = eventsToTrack.map((ev) => fromEvent(this.document, ev));
+            this.eventSubscription = merge(...observables)
+                .pipe(throttleTime(500))
+                .subscribe(() => {
+                this.lastActivityTime = Date.now();
+            });
+            this.timerInterval = setInterval(() => this.checkIdle(), 1000);
+        });
+    }
+    stop() {
+        if (this.timerInterval) {
+            clearInterval(this.timerInterval);
+            this.timerInterval = null;
+        }
+        if (this.eventSubscription) {
+            this.eventSubscription.unsubscribe();
+            this.eventSubscription = undefined;
+        }
+        this.config = null;
+        this._timeRemaining.set(null);
+        this._isIdle.set(false);
+        this._isWarning.set(false);
+    }
+    reset() {
+        if (!this.config)
+            return;
+        this.lastActivityTime = Date.now();
+        this._timeRemaining.set(this.config.timeoutMs);
+        this._isIdle.set(false);
+        this._isWarning.set(false);
+    }
+    checkIdle() {
+        if (!this.config || this._isIdle())
+            return;
+        const elapsed = Date.now() - this.lastActivityTime;
+        const remaining = Math.max(0, this.config.timeoutMs - elapsed);
+        if (remaining === 0) {
+            this.triggerTimeout();
+        }
+        else {
+            const warningThreshold = this.config.warningThresholdMs || 0;
+            const shouldBeWarning = remaining <= warningThreshold;
+            this.ngZone.run(() => {
+                this._timeRemaining.set(remaining);
+                if (this._isWarning() !== shouldBeWarning) {
+                    this._isWarning.set(shouldBeWarning);
+                }
+            });
+        }
+    }
+    triggerTimeout() {
+        const config = this.config;
+        this.stop();
+        // Restore config temporarily to check for autoClear flags
+        this.config = config;
+        this.ngZone.run(() => {
+            this._timeRemaining.set(0);
+            this._isIdle.set(true);
+            this._timeoutSubject.next();
+            if (this.config?.autoClearStorage) {
+                const storage = this.injector.get(SecureStorageService, null);
+                if (storage)
+                    storage.clear();
+            }
+            if (this.config?.autoClearClipboard) {
+                const clipboard = this.injector.get(SensitiveClipboardService, null);
+                if (clipboard)
+                    clipboard.clear();
+            }
+            this.config = null;
+        });
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SessionIdleService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SessionIdleService, providedIn: 'root' });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SessionIdleService, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root',
+                }]
+        }], ctorParameters: () => [] });
+
+const REPLAY_WINDOW_MS = 30_000;
+class SecureMessageService {
+    ngZone = inject(NgZone);
+    platformId = inject(PLATFORM_ID);
+    document = inject(DOCUMENT);
+    crypto = inject(WebCryptoService);
+    config = null;
+    _lastMessage = signal(null, ...(ngDevMode ? [{ debugName: "_lastMessage" }] : /* istanbul ignore next */ []));
+    _messages$ = new Subject();
+    messageHandler = null;
+    get targetWindow() {
+        return this.document.defaultView;
+    }
+    /** Returns a new HMAC-SHA-256 CryptoKey ready to use in `configure()`. */
+    generateChannelKey() {
+        return this.crypto.generateHmacKey('HMAC-SHA-256');
+    }
+    /**
+     * Configures the service with a signing key and allowed origins.
+     * Starts listening for incoming messages.
+     */
+    configure(config) {
+        this.destroy();
+        this.config = config;
+        if (!isPlatformBrowser(this.platformId))
+            return;
+        this.ngZone.runOutsideAngular(() => {
+            this.messageHandler = (event) => this.handleMessage(event);
+            this.targetWindow.addEventListener('message', this.messageHandler);
+        });
+    }
+    /**
+     * Signs and sends a payload to a target window.
+     * @throws if `targetOrigin` is `'*'`
+     */
+    async send(target, payload, targetOrigin) {
+        if (targetOrigin === '*') {
+            throw new Error('SecureMessageService: targetOrigin must be an explicit origin, not "*".');
+        }
+        if (!this.config) {
+            throw new Error('SecureMessageService: call configure() before send().');
+        }
+        const timestamp = Date.now();
+        const nonce = this.targetWindow.crypto.randomUUID();
+        const body = { payload, timestamp, nonce };
+        const signature = await this.crypto.sign(this.config.signingKey, JSON.stringify(body));
+        const envelope = { __signed: true, ...body, signature };
+        target.postMessage(envelope, targetOrigin);
+    }
+    /** Observable of verified incoming messages. */
+    messages$() {
+        return this._messages$.asObservable();
+    }
+    /** Signal with the last verified incoming message (null before first message). */
+    lastMessage() {
+        return this._lastMessage;
+    }
+    /** Removes the window listener and completes the internal Subject. */
+    destroy() {
+        if (this.messageHandler && isPlatformBrowser(this.platformId)) {
+            this.targetWindow.removeEventListener('message', this.messageHandler);
+            this.messageHandler = null;
+        }
+        this.config = null;
+    }
+    async handleMessage(event) {
+        if (!this.config)
+            return;
+        // 1. Origin whitelist
+        if (!this.config.allowedOrigins.includes(event.origin))
+            return;
+        // 2. Envelope shape
+        const env = event.data;
+        if (env?.__signed !== true)
+            return;
+        const { payload, timestamp, nonce, signature } = env;
+        if (!payload || !timestamp || !nonce || !signature)
+            return;
+        // 3. Replay window
+        if (Date.now() - timestamp > REPLAY_WINDOW_MS)
+            return;
+        // 4. Signature verification
+        const body = { payload, timestamp, nonce };
+        const valid = await this.crypto.verify(this.config.signingKey, JSON.stringify(body), signature);
+        if (!valid)
+            return;
+        // 5. Emit inside NgZone so signals trigger CD
+        this.ngZone.run(() => {
+            const message = { data: payload, origin: event.origin, timestamp };
+            this._lastMessage.set(message);
+            this._messages$.next(message);
+        });
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureMessageService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureMessageService, providedIn: 'root' });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureMessageService, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root',
+                }]
+        }] });
+
 const defaultSecurityConfig = {
     enableRegexSecurity: true,
     enableWebCrypto: true,
@@ -1727,6 +1957,8 @@ const defaultSecurityConfig = {
     enableHibp: false,
     enableRateLimiter: false,
     enableCsrf: false,
+    enableSessionIdle: false,
+    enableSecureMessage: false,
     defaultTimeout: 5000,
     safeMode: false,
 };
@@ -1755,6 +1987,10 @@ function provideSecurity(config = {}) {
     if (mergedConfig.enableCsrf) {
         providers.push(WebCryptoService, CsrfService);
     }
+    if (mergedConfig.enableSessionIdle)
+        providers.push(SessionIdleService);
+    if (mergedConfig.enableSecureMessage)
+        providers.push(SecureMessageService);
     return makeEnvironmentProviders(providers);
 }
 function provideRegexSecurity() {
@@ -1804,9 +2040,15 @@ function provideCsrf(config) {
         ...(config ? [{ provide: CSRF_CONFIG, useValue: config }] : []),
     ]);
 }
+function provideSessionIdle() {
+    return makeEnvironmentProviders([SessionIdleService]);
+}
+function provideSecureMessage() {
+    return makeEnvironmentProviders([WebCryptoService, SecureMessageService]);
+}
 
 /**
  * Generated bundle index. Do not edit.
  */
 
-export { CSRF_CONFIG, ClipboardUnsupportedError, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexSecurityBuilder, RegexSecurityService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureStorageService, SensitiveClipboardService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, withCsrfHeader };
+export { CSRF_CONFIG, ClipboardUnsupportedError, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexSecurityBuilder, RegexSecurityService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureMessageService, SecureStorageService, SensitiveClipboardService, SessionIdleService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureMessage, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideSessionIdle, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, withCsrfHeader };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@angular-helpers/security",
-  "version": "21.3.0",
+  "version": "21.4.1",
   "description": "Angular security helpers for preventing ReDoS and other security vulnerabilities",
   "keywords": [
     "angular",
@@ -16,7 +16,12 @@
     "xss",
     "sanitization",
     "password-strength",
-    "secure-storage"
+    "secure-storage",
+    "session-idle",
+    "inactivity",
+    "postmessage",
+    "iframe",
+    "secure-channel"
   ],
   "author": "Angular Helpers Team",
   "license": "MIT",
@@ -64,5 +69,6 @@
       "default": "./fesm2022/angular-helpers-security-signal-forms.mjs"
     }
   },
-  "sideEffects": false
+  "sideEffects": false,
+  "type": "module"
 }

package/types/angular-helpers-security.d.ts

@@ -537,6 +537,10 @@ declare class SensitiveClipboardService {
      */
     cancelPendingClear(): void;
     private safeClear;
+    /**
+     * Forcefully clears the clipboard unconditionally.
+     */
+    clear(): Promise<void>;
     static ɵfac: i0.ɵɵFactoryDeclaration<SensitiveClipboardService, never>;
     static ɵprov: i0.ɵɵInjectableDeclaration<SensitiveClipboardService>;
 }
@@ -745,6 +749,82 @@ interface CsrfHeaderOptions {
  */
 declare function withCsrfHeader(options?: CsrfHeaderOptions): HttpInterceptorFn;
 
+interface SessionIdleConfig {
+    timeoutMs: number;
+    warningThresholdMs?: number;
+    autoClearStorage?: boolean;
+    autoClearClipboard?: boolean;
+    events?: string[];
+}
+declare class SessionIdleService {
+    private ngZone;
+    private document;
+    private injector;
+    private destroyRef;
+    private _isIdle;
+    private _isWarning;
+    private _timeRemaining;
+    private _timeoutSubject;
+    readonly isIdle: Signal<boolean>;
+    readonly isWarning: Signal<boolean>;
+    readonly timeRemaining: Signal<number | null>;
+    readonly onTimeout: Observable<void>;
+    private config;
+    private lastActivityTime;
+    private timerInterval;
+    private eventSubscription?;
+    constructor();
+    start(config: SessionIdleConfig): void;
+    stop(): void;
+    reset(): void;
+    private checkIdle;
+    private triggerTimeout;
+    static ɵfac: i0.ɵɵFactoryDeclaration<SessionIdleService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<SessionIdleService>;
+}
+
+interface SecureMessageConfig {
+    allowedOrigins: string[];
+    signingKey: CryptoKey;
+}
+interface SecureMessage<T = unknown> {
+    data: T;
+    origin: string;
+    timestamp: number;
+}
+declare class SecureMessageService {
+    private readonly ngZone;
+    private readonly platformId;
+    private readonly document;
+    private readonly crypto;
+    private config;
+    private _lastMessage;
+    private _messages$;
+    private messageHandler;
+    private get targetWindow();
+    /** Returns a new HMAC-SHA-256 CryptoKey ready to use in `configure()`. */
+    generateChannelKey(): Promise<CryptoKey>;
+    /**
+     * Configures the service with a signing key and allowed origins.
+     * Starts listening for incoming messages.
+     */
+    configure(config: SecureMessageConfig): void;
+    /**
+     * Signs and sends a payload to a target window.
+     * @throws if `targetOrigin` is `'*'`
+     */
+    send<T>(target: Window, payload: T, targetOrigin: string): Promise<void>;
+    /** Observable of verified incoming messages. */
+    messages$<T = unknown>(): Observable<SecureMessage<T>>;
+    /** Signal with the last verified incoming message (null before first message). */
+    lastMessage<T = unknown>(): Signal<SecureMessage<T> | null>;
+    /** Removes the window listener and completes the internal Subject. */
+    destroy(): void;
+    private handleMessage;
+    static ɵfac: i0.ɵɵFactoryDeclaration<SecureMessageService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<SecureMessageService>;
+}
+
 interface SecurityConfig {
     enableRegexSecurity?: boolean;
     enableWebCrypto?: boolean;
@@ -756,6 +836,8 @@ interface SecurityConfig {
     enableHibp?: boolean;
     enableRateLimiter?: boolean;
     enableCsrf?: boolean;
+    enableSessionIdle?: boolean;
+    enableSecureMessage?: boolean;
     defaultTimeout?: number;
     safeMode?: boolean;
 }
@@ -771,6 +853,8 @@ declare function provideSensitiveClipboard(): EnvironmentProviders;
 declare function provideHibp(config?: HibpConfig): EnvironmentProviders;
 declare function provideRateLimiter(config?: RateLimiterConfig): EnvironmentProviders;
 declare function provideCsrf(config?: CsrfConfig): EnvironmentProviders;
+declare function provideSessionIdle(): EnvironmentProviders;
+declare function provideSecureMessage(): EnvironmentProviders;
 
-export { CSRF_CONFIG, ClipboardUnsupportedError, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexSecurityBuilder, RegexSecurityService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureStorageService, SensitiveClipboardService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, withCsrfHeader };
-export type { AesEncryptResult, AesKeyLength, CopyStatus, CsrfConfig, CsrfHeaderOptions, CsrfStorageTarget, HashAlgorithm, HibpConfig, HibpResult, HmacAlgorithm, HtmlSanitizerOptions, HttpMethod, JwtStandardClaims, PasswordAssessment, PasswordLabel, PasswordScore, PasswordStrengthResult, RateLimitPolicy, RateLimiterConfig, RegexBuilderOptions, RegexSecurityConfig, RegexSecurityResult, RegexTestResult, SanitizerConfig, SecureStorageConfig, SecurityConfig, SensitiveCopyOptions, StorageTarget };
+export { CSRF_CONFIG, ClipboardUnsupportedError, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexSecurityBuilder, RegexSecurityService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureMessageService, SecureStorageService, SensitiveClipboardService, SessionIdleService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureMessage, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideSessionIdle, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, withCsrfHeader };
+export type { AesEncryptResult, AesKeyLength, CopyStatus, CsrfConfig, CsrfHeaderOptions, CsrfStorageTarget, HashAlgorithm, HibpConfig, HibpResult, HmacAlgorithm, HtmlSanitizerOptions, HttpMethod, JwtStandardClaims, PasswordAssessment, PasswordLabel, PasswordScore, PasswordStrengthResult, RateLimitPolicy, RateLimiterConfig, RegexBuilderOptions, RegexSecurityConfig, RegexSecurityResult, RegexTestResult, SanitizerConfig, SecureMessage, SecureMessageConfig, SecureStorageConfig, SecurityConfig, SensitiveCopyOptions, SessionIdleConfig, StorageTarget };