@arcis/node 1.1.0 → 1.3.0

package/dist/index.mjs

@@ -1,5 +1,5 @@
 import { promises } from 'dns';
-import { createHash } from 'crypto';
+import { randomBytes, createHash } from 'crypto';
 
 // src/core/constants.ts
 var INPUT = {
@@ -115,7 +115,11 @@ var SQL_PATTERNS = [
   /** Time-based blind: SLEEP() */
   /\bSLEEP\s*\(\s*\d+\s*\)/gi,
   /** Time-based blind: BENCHMARK() */
-  /\bBENCHMARK\s*\(/gi
+  /\bBENCHMARK\s*\(/gi,
+  /** Time-based blind: PostgreSQL pg_sleep() */
+  /\bpg_sleep\s*\(/gi,
+  /** Time-based blind: MSSQL WAITFOR DELAY */
+  /\bWAITFOR\s+DELAY\b/gi
 ];
 var PATH_PATTERNS = [
   /** Unix path traversal */
@@ -133,6 +137,10 @@ var PATH_PATTERNS = [
   /\.%2e[\\/]/gi,
   /** Fully URL-encoded: %2e%2e%2f */
   /%2e%2e%2f/gi,
+  /** Double URL-encoded forward slash: %252f */
+  /%252f/gi,
+  /** Dotdotslash bypass: ....// or ....\\ */
+  /\.{2,}[/\\]{2,}/g,
   /** Null byte injection in paths */
   /\0/g
 ];
@@ -148,7 +156,9 @@ var COMMAND_PATTERNS = [
    */
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
-  /\$\(/g
+  /\$\(/g,
+  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
+  /%0[ad]/gi
 ];
 var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
   "__proto__",
@@ -182,6 +192,7 @@ var NOSQL_DANGEROUS_KEYS = /* @__PURE__ */ new Set([
   "$expr",
   "$mod",
   "$text",
+  "$jsonSchema",
   // Array
   "$elemMatch",
   "$all",
@@ -292,7 +303,12 @@ function createHeaders(options = {}) {
     hsts = true,
     referrerPolicy = HEADERS.REFERRER_POLICY,
     permissionsPolicy = HEADERS.PERMISSIONS_POLICY,
-    cacheControl = true
+    cacheControl = true,
+    crossOriginOpenerPolicy = "same-origin",
+    crossOriginResourcePolicy = "same-origin",
+    crossOriginEmbedderPolicy = "require-corp",
+    originAgentCluster = true,
+    dnsPrefetchControl = true
   } = options;
   return (req, res, next) => {
     if (contentSecurityPolicy) {
@@ -300,7 +316,7 @@ function createHeaders(options = {}) {
       res.setHeader("Content-Security-Policy", csp);
     }
     if (xssFilter) {
-      res.setHeader("X-XSS-Protection", "1; mode=block");
+      res.setHeader("X-XSS-Protection", "0");
     }
     if (noSniff) {
       res.setHeader("X-Content-Type-Options", HEADERS.CONTENT_TYPE_OPTIONS);
@@ -327,6 +343,21 @@ function createHeaders(options = {}) {
     if (permissionsPolicy) {
       res.setHeader("Permissions-Policy", permissionsPolicy);
     }
+    if (crossOriginOpenerPolicy) {
+      res.setHeader("Cross-Origin-Opener-Policy", crossOriginOpenerPolicy);
+    }
+    if (crossOriginResourcePolicy) {
+      res.setHeader("Cross-Origin-Resource-Policy", crossOriginResourcePolicy);
+    }
+    if (crossOriginEmbedderPolicy) {
+      res.setHeader("Cross-Origin-Embedder-Policy", crossOriginEmbedderPolicy);
+    }
+    if (originAgentCluster) {
+      res.setHeader("Origin-Agent-Cluster", "?1");
+    }
+    if (dnsPrefetchControl) {
+      res.setHeader("X-DNS-Prefetch-Control", "off");
+    }
     res.setHeader("X-Permitted-Cross-Domain-Policies", "none");
     if (cacheControl) {
       const cacheControlValue = typeof cacheControl === "string" ? cacheControl : HEADERS.CACHE_CONTROL;
@@ -782,7 +813,8 @@ function sanitizeObject(obj, options = {}) {
   if (typeof obj === "string") return sanitizeString(obj, options);
   if (typeof obj !== "object") return obj;
   if (Array.isArray(obj)) return obj.map((item) => sanitizeObject(item, options));
-  return sanitizeObjectDepth(obj, options, 0);
+  const result = sanitizeObjectDepth(obj, options, 0);
+  return options.freeze ? Object.freeze(result) : result;
 }
 function sanitizeObjectDepth(obj, options, depth) {
   if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;
@@ -879,6 +911,179 @@ function detectPrototypePollution(obj, maxDepth = 10) {
   return false;
 }
 
+// src/sanitizers/ssti.ts
+var SSTI_DETECT_PATTERNS = [
+  /** Jinja2 / Twig / Nunjucks: {{ ... }} */
+  /\{\{.*?\}\}/g,
+  /** Freemarker / Thymeleaf / Spring EL: ${ ... } */
+  /\$\{.*?\}/g,
+  /** ERB / EJS: <%= ... %> or <% ... %> */
+  /<%[=\-]?.*?%>/gs,
+  /** Pug / Jade / Slim: #{ ... } */
+  /#\{.*?\}/g,
+  /** Python dunder sandbox escape */
+  /__(?:class|mro|subclasses|globals|builtins|import)__/gi,
+  /** Jinja2 config leak: {{config.X}} or {{config['X']}} */
+  /\{\{\s*config[.\[]/gi,
+  /** Jinja2 built-in objects */
+  /\{\{\s*(?:self|request|lipsum|cycler|joiner|namespace|range)\b/gi
+];
+var SSTI_REMOVE_PATTERNS = [
+  /\{\{.*?\}\}/g,
+  /\$\{.*?\}/g,
+  /<%[=\-]?.*?%>/gs,
+  /#\{.*?\}/g,
+  /__(?:class|mro|subclasses|globals|builtins|import)__/gi
+];
+function sanitizeSsti(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of SSTI_REMOVE_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "ssti",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, "");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectSsti(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of SSTI_DETECT_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/xxe.ts
+var XXE_DETECT_PATTERNS = [
+  /** DOCTYPE declaration */
+  /<!DOCTYPE\b/gi,
+  /** ENTITY declaration */
+  /<!ENTITY\b/gi,
+  /** SYSTEM keyword with URI */
+  /\bSYSTEM\s+["']/gi,
+  /** PUBLIC keyword with URI */
+  /\bPUBLIC\s+["']/gi,
+  /** Parameter entity reference (%entity;) */
+  /%\s*\w+\s*;/g,
+  /** CDATA section (often used to smuggle payloads) */
+  /<!\[CDATA\[/gi
+];
+var XXE_REMOVE_PATTERNS = [
+  /** Full DOCTYPE block with optional internal subset: <!DOCTYPE ... [...]> */
+  /<!DOCTYPE\s[^[>]*(?:\[[^\]]*\]\s*)?>|<!DOCTYPE\s[^>]*>/gi,
+  /** Full ENTITY declaration: <!ENTITY ... > */
+  /<!ENTITY[^>]*>/gi,
+  /** CDATA sections: <![CDATA[ ... ]]> */
+  /<!\[CDATA\[[\s\S]*?\]\]>/gi
+];
+function sanitizeXxe(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of XXE_REMOVE_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "xxe",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, "");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectXxe(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of XXE_DETECT_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/jsonp.ts
+var SAFE_CALLBACK_PATTERN = /^[a-zA-Z_$][a-zA-Z0-9_$.[\]]*$/;
+var DANGEROUS_CALLBACK_PATTERNS = [
+  /\.\./,
+  // prototype chain traversal
+  /\[\s*\]/
+  // empty bracket access
+];
+function sanitizeJsonpCallback(callback, maxLength = 128) {
+  if (typeof callback !== "string" || callback.length === 0) {
+    return null;
+  }
+  if (callback.length > maxLength) {
+    return null;
+  }
+  if (!SAFE_CALLBACK_PATTERN.test(callback)) {
+    return null;
+  }
+  for (const pattern of DANGEROUS_CALLBACK_PATTERNS) {
+    if (pattern.test(callback)) {
+      return null;
+    }
+  }
+  return callback;
+}
+function detectJsonpInjection(callback) {
+  if (typeof callback !== "string" || callback.length === 0) {
+    return false;
+  }
+  if (!SAFE_CALLBACK_PATTERN.test(callback)) {
+    return true;
+  }
+  for (const pattern of DANGEROUS_CALLBACK_PATTERNS) {
+    if (pattern.test(callback)) {
+      return true;
+    }
+  }
+  return false;
+}
+
 // src/sanitizers/headers.ts
 var HEADER_INJECTION_PATTERN = /\r\n|\r|\n|\0/g;
 function sanitizeHeaderValue(input, collectThreats = false) {
@@ -928,6 +1133,205 @@ function detectHeaderInjection(input) {
   return HEADER_INJECTION_PATTERN.test(input);
 }
 
+// src/sanitizers/pii.ts
+var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+/g;
+var PHONE_RE = /(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}/g;
+var CREDIT_CARD_RE = /\b(?:\d[ -]*?){13,19}\b/g;
+var SSN_RE = /\b\d{3}[-\s]\d{2}[-\s]\d{4}\b/g;
+var IPV4_RE = /\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b/g;
+var IPV6_RE = /\b(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\b|\b(?:[0-9a-fA-F]{1,4}:){1,7}:|::(?:[0-9a-fA-F]{1,4}:){0,5}[0-9a-fA-F]{1,4}\b/g;
+var PATTERN_MAP = {
+  email: [EMAIL_RE],
+  phone: [PHONE_RE],
+  credit_card: [CREDIT_CARD_RE],
+  ssn: [SSN_RE],
+  ip_address: [IPV4_RE, IPV6_RE]
+};
+var ALL_TYPES = ["email", "phone", "credit_card", "ssn", "ip_address"];
+var TYPE_LABELS = {
+  email: "[EMAIL]",
+  phone: "[PHONE]",
+  credit_card: "[CREDIT_CARD]",
+  ssn: "[SSN]",
+  ip_address: "[IP_ADDRESS]"
+};
+function luhnCheck(value) {
+  const digits = value.replace(/[\s-]/g, "");
+  if (!/^\d{13,19}$/.test(digits)) return false;
+  let sum = 0;
+  let alternate = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let n = parseInt(digits[i], 10);
+    if (alternate) {
+      n *= 2;
+      if (n > 9) n -= 9;
+    }
+    sum += n;
+    alternate = !alternate;
+  }
+  return sum % 10 === 0;
+}
+function scanPii(input, options = {}) {
+  if (!input || typeof input !== "string") return [];
+  const types = options.types ?? ALL_TYPES;
+  const matches = [];
+  for (const type of types) {
+    const patterns = PATTERN_MAP[type];
+    if (!patterns) continue;
+    for (const pattern of patterns) {
+      const re = new RegExp(pattern.source, pattern.flags);
+      let match;
+      while ((match = re.exec(input)) !== null) {
+        const value = match[0];
+        if (type === "credit_card" && !luhnCheck(value)) continue;
+        if (type === "ssn") {
+          const area = parseInt(value.substring(0, 3), 10);
+          if (area === 0 || area === 666 || area >= 900) continue;
+        }
+        matches.push({
+          type,
+          value,
+          start: match.index,
+          end: match.index + value.length
+        });
+      }
+    }
+  }
+  matches.sort((a, b) => a.start - b.start);
+  return matches;
+}
+function detectPii(input, options = {}) {
+  return scanPii(input, options).length > 0;
+}
+function redactPii(input, options = {}) {
+  if (!input || typeof input !== "string") return input;
+  const matches = scanPii(input, options);
+  if (matches.length === 0) return input;
+  const replacement = options.replacement ?? "[REDACTED]";
+  let result = input;
+  for (let i = matches.length - 1; i >= 0; i--) {
+    const m = matches[i];
+    const label = options.typeLabels ? TYPE_LABELS[m.type] : replacement;
+    result = result.substring(0, m.start) + label + result.substring(m.end);
+  }
+  return result;
+}
+function scanObjectPii(obj, options = {}, path = "") {
+  const results = [];
+  if (!obj || typeof obj !== "object") return results;
+  for (const [key, value] of Object.entries(obj)) {
+    const fieldPath = path ? `${path}.${key}` : key;
+    if (typeof value === "string") {
+      const matches = scanPii(value, options);
+      for (const m of matches) {
+        results.push({ ...m, field: fieldPath });
+      }
+    } else if (value && typeof value === "object" && !Array.isArray(value)) {
+      results.push(...scanObjectPii(value, options, fieldPath));
+    } else if (Array.isArray(value)) {
+      for (let i = 0; i < value.length; i++) {
+        const item = value[i];
+        if (typeof item === "string") {
+          const matches = scanPii(item, options);
+          for (const m of matches) {
+            results.push({ ...m, field: `${fieldPath}[${i}]` });
+          }
+        } else if (item && typeof item === "object") {
+          results.push(...scanObjectPii(item, options, `${fieldPath}[${i}]`));
+        }
+      }
+    }
+  }
+  return results;
+}
+function redactObjectPii(obj, options = {}) {
+  if (!obj || typeof obj !== "object") return obj;
+  const result = {};
+  for (const [key, value] of Object.entries(obj)) {
+    if (typeof value === "string") {
+      result[key] = redactPii(value, options);
+    } else if (Array.isArray(value)) {
+      result[key] = value.map((item) => {
+        if (typeof item === "string") return redactPii(item, options);
+        if (item && typeof item === "object") return redactObjectPii(item, options);
+        return item;
+      });
+    } else if (value && typeof value === "object") {
+      result[key] = redactObjectPii(value, options);
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+
+// src/sanitizers/encode.ts
+var HTML_ENTITIES = {
+  "&": "&amp;",
+  "<": "&lt;",
+  ">": "&gt;",
+  '"': "&quot;",
+  "'": "&#x27;"
+};
+var HTML_ENCODE_RE = /[&<>"']/g;
+function encodeForHtml(value) {
+  if (!value) return "";
+  return value.replace(HTML_ENCODE_RE, (ch) => HTML_ENTITIES[ch]);
+}
+function encodeForAttribute(value) {
+  if (!value) return "";
+  let result = "";
+  for (let i = 0; i < value.length; i++) {
+    const ch = value.charCodeAt(i);
+    if (ch >= 48 && ch <= 57 || // 0-9
+    ch >= 65 && ch <= 90 || // A-Z
+    ch >= 97 && ch <= 122) {
+      result += value[i];
+    } else {
+      result += `&#x${ch.toString(16).toUpperCase()};`;
+    }
+  }
+  return result;
+}
+function encodeForJs(value) {
+  if (!value) return "";
+  let result = "";
+  for (let i = 0; i < value.length; i++) {
+    const ch = value.charCodeAt(i);
+    if (ch >= 48 && ch <= 57 || // 0-9
+    ch >= 65 && ch <= 90 || // A-Z
+    ch >= 97 && ch <= 122) {
+      result += value[i];
+    } else if (ch < 256) {
+      result += `\\x${ch.toString(16).toUpperCase().padStart(2, "0")}`;
+    } else {
+      result += `\\u${ch.toString(16).toUpperCase().padStart(4, "0")}`;
+    }
+  }
+  return result;
+}
+function encodeForUrl(value) {
+  if (!value) return "";
+  return encodeURIComponent(value).replace(/[!'()*]/g, (ch) => {
+    return `%${ch.charCodeAt(0).toString(16).toUpperCase()}`;
+  });
+}
+function encodeForCss(value) {
+  if (!value) return "";
+  let result = "";
+  for (let i = 0; i < value.length; i++) {
+    const ch = value.charCodeAt(i);
+    if (ch >= 48 && ch <= 57 || // 0-9
+    ch >= 65 && ch <= 90 || // A-Z
+    ch >= 97 && ch <= 122) {
+      result += value[i];
+    } else {
+      result += `\\${ch.toString(16).toUpperCase()} `;
+    }
+  }
+  return result;
+}
+
 // src/validation/schema.ts
 function validate(schema, source = "body") {
   return (req, res, next) => {
@@ -1308,6 +1712,18 @@ function validateUrl(url, options = {}) {
       return { safe: false, reason: "loopback address" };
     }
   }
+  if (!allowLocalhost || !allowPrivate) {
+    const decimalCheck = checkDecimalIp(hostname, allowLocalhost, allowPrivate);
+    if (decimalCheck) {
+      return { safe: false, reason: decimalCheck };
+    }
+  }
+  if (!allowLocalhost || !allowPrivate) {
+    const octalCheck = checkOctalIp(hostname, allowLocalhost, allowPrivate);
+    if (octalCheck) {
+      return { safe: false, reason: octalCheck };
+    }
+  }
   if (!allowPrivate) {
     const privateCheck = checkPrivateIp(hostname);
     if (privateCheck) {
@@ -1339,13 +1755,93 @@ function checkPrivateIp(hostname) {
   if (/^0\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
     return "current network address (0.0.0.0/8)";
   }
-  if (hostname === "metadata.google.internal" || hostname === "metadata.internal") {
+  if (hostname === "metadata.google.internal" || hostname === "metadata.internal" || hostname === "metadata.azure.internal") {
     return "cloud metadata endpoint";
   }
   const ipv6 = hostname.replace(/^\[|\]$/g, "");
   if (ipv6 === "::1" || ipv6 === "::" || ipv6.startsWith("fc") || ipv6.startsWith("fd") || ipv6.startsWith("fe80")) {
     return "private IPv6 address";
   }
+  const mappedDotted = ipv6.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i);
+  if (mappedDotted) {
+    const mappedIp = mappedDotted[1];
+    if (/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(mappedIp)) {
+      return "IPv6-mapped loopback address";
+    }
+    const mappedCheck = checkPrivateIp(mappedIp);
+    if (mappedCheck) {
+      return `IPv6-mapped ${mappedCheck}`;
+    }
+  }
+  const mappedHex = ipv6.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i);
+  if (mappedHex) {
+    const hi = parseInt(mappedHex[1], 16);
+    const lo = parseInt(mappedHex[2], 16);
+    const a = hi >> 8 & 255;
+    const b = hi & 255;
+    const c = lo >> 8 & 255;
+    const d = lo & 255;
+    const dotted = `${a}.${b}.${c}.${d}`;
+    if (a === 127) {
+      return "IPv6-mapped loopback address";
+    }
+    const hexCheck = checkPrivateIp(dotted);
+    if (hexCheck) {
+      return `IPv6-mapped ${hexCheck}`;
+    }
+  }
+  return null;
+}
+function checkDecimalIp(hostname, allowLocalhost, allowPrivate) {
+  if (!/^\d+$/.test(hostname)) return null;
+  const num = parseInt(hostname, 10);
+  if (isNaN(num) || num < 0 || num > 4294967295) return null;
+  const a = num >>> 24 & 255;
+  const b = num >>> 16 & 255;
+  const c = num >>> 8 & 255;
+  const d = num & 255;
+  const dotted = `${a}.${b}.${c}.${d}`;
+  if (!allowLocalhost && a === 127) {
+    return `loopback address (decimal IP: ${dotted})`;
+  }
+  if (!allowPrivate) {
+    const privateCheck = checkPrivateIp(dotted);
+    if (privateCheck) {
+      return `${privateCheck} (decimal IP: ${dotted})`;
+    }
+  }
+  return null;
+}
+function checkOctalIp(hostname, allowLocalhost, allowPrivate) {
+  const parts = hostname.split(".");
+  if (parts.length !== 4) return null;
+  const hasAlternateNotation = parts.some((p) => /^0[0-7]+$/.test(p) || /^0x[0-9a-fA-F]+$/i.test(p));
+  if (!hasAlternateNotation) return null;
+  const octets = [];
+  for (const part of parts) {
+    let val;
+    if (/^0x[0-9a-fA-F]+$/i.test(part)) {
+      val = parseInt(part, 16);
+    } else if (/^0[0-7]*$/.test(part)) {
+      val = parseInt(part, 8);
+    } else if (/^\d+$/.test(part)) {
+      val = parseInt(part, 10);
+    } else {
+      return null;
+    }
+    if (val < 0 || val > 255) return null;
+    octets.push(val);
+  }
+  const dotted = octets.join(".");
+  if (!allowLocalhost && octets[0] === 127) {
+    return `loopback address (octal IP: ${dotted})`;
+  }
+  if (!allowPrivate) {
+    const privateCheck = checkPrivateIp(dotted);
+    if (privateCheck) {
+      return `${privateCheck} (octal IP: ${dotted})`;
+    }
+  }
   return null;
 }
 
@@ -1661,12 +2157,21 @@ function isValidEmailSyntax(email) {
 }
 
 // src/logging/redactor.ts
+var LOG_LEVELS = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  silent: 4
+};
 function createSafeLogger(options = {}) {
   const {
     redactKeys = [],
     maxLength = REDACTION.DEFAULT_MAX_LENGTH,
-    redactPatterns = []
+    redactPatterns = [],
+    level: minLevel = "debug"
   } = options;
+  const minLevelNum = LOG_LEVELS[minLevel] ?? 0;
   const allRedactKeys = /* @__PURE__ */ new Set([
     ...Array.from(REDACTION.SENSITIVE_KEYS),
     ...redactKeys.map((k) => k.toLowerCase())
@@ -1692,6 +2197,8 @@ function createSafeLogger(options = {}) {
     return result;
   }
   function log(level, message, data) {
+    const levelNum = LOG_LEVELS[level] ?? 0;
+    if (levelNum < minLevelNum) return;
     const entry = {
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       level,
@@ -2298,6 +2805,119 @@ function botProtection(options = {}) {
     next();
   };
 }
+var DEFAULTS = {
+  cookieName: "_csrf",
+  headerName: "x-csrf-token",
+  fieldName: "_csrf",
+  tokenLength: 32,
+  protectedMethods: ["POST", "PUT", "PATCH", "DELETE"]
+};
+function generateCsrfToken(length = 32) {
+  return randomBytes(length).toString("hex");
+}
+function validateCsrfToken(cookieToken, requestToken) {
+  if (!cookieToken || !requestToken) return false;
+  if (cookieToken.length !== requestToken.length) return false;
+  let result = 0;
+  for (let i = 0; i < cookieToken.length; i++) {
+    result |= cookieToken.charCodeAt(i) ^ requestToken.charCodeAt(i);
+  }
+  return result === 0;
+}
+function getRequestToken(req, headerName, fieldName) {
+  const headerToken = req.headers[headerName.toLowerCase()];
+  if (typeof headerToken === "string" && headerToken) return headerToken;
+  if (req.body && typeof req.body === "object" && fieldName in req.body) {
+    const bodyToken = req.body[fieldName];
+    if (typeof bodyToken === "string" && bodyToken) return bodyToken;
+  }
+  if (req.query && fieldName in req.query) {
+    const queryToken = req.query[fieldName];
+    if (typeof queryToken === "string" && queryToken) return queryToken;
+  }
+  return void 0;
+}
+function csrfProtection(options = {}) {
+  const cookieName = options.cookieName ?? DEFAULTS.cookieName;
+  const headerName = options.headerName ?? DEFAULTS.headerName;
+  const fieldName = options.fieldName ?? DEFAULTS.fieldName;
+  const tokenLength = options.tokenLength ?? DEFAULTS.tokenLength;
+  const protectedMethods = options.protectedMethods ?? [...DEFAULTS.protectedMethods];
+  const excludePaths = options.excludePaths ?? [];
+  const isProduction = process.env.NODE_ENV === "production";
+  const cookieOpts = {
+    path: options.cookie?.path ?? "/",
+    httpOnly: options.cookie?.httpOnly ?? false,
+    // Must be readable by client JS
+    secure: options.cookie?.secure ?? isProduction,
+    sameSite: options.cookie?.sameSite ?? "Lax",
+    domain: options.cookie?.domain
+  };
+  const defaultOnError = (_req, res, _next) => {
+    res.status(403).json({
+      error: "CSRF token validation failed",
+      message: "Invalid or missing CSRF token. Include the token from the cookie in the X-CSRF-Token header."
+    });
+  };
+  const onError = options.onError ?? defaultOnError;
+  const protectedSet = new Set(protectedMethods.map((m) => m.toUpperCase()));
+  return (req, res, next) => {
+    const method = req.method.toUpperCase();
+    const requestPath = req.path || req.url;
+    if (excludePaths.some((p) => requestPath === p || requestPath.startsWith(p + "/"))) {
+      return next();
+    }
+    req.csrfToken = () => {
+      const existing = getCookieValue(req, cookieName);
+      if (existing) return existing;
+      const token = generateCsrfToken(tokenLength);
+      setCsrfCookie(res, cookieName, token, cookieOpts);
+      return token;
+    };
+    if (!protectedSet.has(method)) {
+      const existing = getCookieValue(req, cookieName);
+      if (!existing) {
+        const token = generateCsrfToken(tokenLength);
+        setCsrfCookie(res, cookieName, token, cookieOpts);
+      }
+      return next();
+    }
+    const cookieToken = getCookieValue(req, cookieName);
+    if (!cookieToken) {
+      return onError(req, res, next);
+    }
+    const requestToken = getRequestToken(req, headerName, fieldName);
+    if (!requestToken) {
+      return onError(req, res, next);
+    }
+    if (!validateCsrfToken(cookieToken, requestToken)) {
+      return onError(req, res, next);
+    }
+    next();
+  };
+}
+function getCookieValue(req, name) {
+  if (req.cookies && typeof req.cookies === "object" && name in req.cookies) {
+    return req.cookies[name];
+  }
+  const cookieHeader = req.headers.cookie;
+  if (!cookieHeader) return void 0;
+  const match = cookieHeader.match(new RegExp(`(?:^|;\\s*)${escapeRegex(name)}=([^;]*)`));
+  return match ? decodeURIComponent(match[1]) : void 0;
+}
+function setCsrfCookie(res, name, token, opts) {
+  const parts = [`${name}=${token}`];
+  parts.push(`Path=${opts.path}`);
+  if (opts.httpOnly) parts.push("HttpOnly");
+  if (opts.secure) parts.push("Secure");
+  parts.push(`SameSite=${opts.sameSite}`);
+  if (opts.domain) parts.push(`Domain=${opts.domain}`);
+  res.setHeader("Set-Cookie", parts.join("; "));
+}
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var createCsrf = csrfProtection;
 
 // src/utils/ip.ts
 var PLATFORM_HEADERS = {
@@ -2562,6 +3182,6 @@ function createRedisStore(options) {
   return new RedisStore(options);
 }
 
-export { ArcisError, ValidationError as ArcisValidationError, BLOCKED, ERRORS, HEADERS, INPUT, InputTooLargeError, MemoryStore, RATE_LIMIT, REDACTION, RateLimitError, RedisStore, SanitizationError, SecurityThreatError, VALIDATION, arcis, arcisWithMethods as arcisFunction, botProtection, createCors, createErrorHandler, createHeaders, createRateLimiter, createRedactor, createRedisStore, createSafeLogger, createSanitizer, createSecureCookies, createSlidingWindowLimiter, createTokenBucketLimiter, createValidator, main_default as default, detectBot, detectClientIp, detectCommandInjection, detectHeaderInjection, detectNoSqlInjection, detectPathTraversal, detectPrototypePollution, detectSql, detectXss, enforceSecureCookie, errorHandler, fingerprint, formatDuration, isDangerousExtension, isDangerousNoSqlKey, isDangerousProtoKey, isPrivateIp, isRedirectSafe, isUrlSafe, isValidEmailSyntax, parseDuration, rateLimit, safeCors, safeLog, sanitizeCommand, sanitizeFilename, sanitizeHeaderValue, sanitizeHeaders, sanitizeObject, sanitizePath, sanitizeSql, sanitizeString, sanitizeXss, secureCookieDefaults, securityHeaders, validate, validateEmail, validateFile, validateRedirect, validateUrl, verifyEmailMx };
+export { ArcisError, ValidationError as ArcisValidationError, BLOCKED, ERRORS, HEADERS, INPUT, InputTooLargeError, MemoryStore, RATE_LIMIT, REDACTION, RateLimitError, RedisStore, SanitizationError, SecurityThreatError, VALIDATION, arcis, arcisWithMethods as arcisFunction, botProtection, createCors, createCsrf, createErrorHandler, createHeaders, createRateLimiter, createRedactor, createRedisStore, createSafeLogger, createSanitizer, createSecureCookies, createSlidingWindowLimiter, createTokenBucketLimiter, createValidator, csrfProtection, main_default as default, detectBot, detectClientIp, detectCommandInjection, detectHeaderInjection, detectJsonpInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPrototypePollution, detectSql, detectSsti, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, enforceSecureCookie, errorHandler, fingerprint, formatDuration, generateCsrfToken, isDangerousExtension, isDangerousNoSqlKey, isDangerousProtoKey, isPrivateIp, isRedirectSafe, isUrlSafe, isValidEmailSyntax, parseDuration, rateLimit, redactObjectPii, redactPii, safeCors, safeLog, sanitizeCommand, sanitizeFilename, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeObject, sanitizePath, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii, secureCookieDefaults, securityHeaders, validate, validateCsrfToken, validateEmail, validateFile, validateRedirect, validateUrl, verifyEmailMx };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map