@vorionsys/platform-core 0.1.0

package/dist/api/middleware/security-headers.js

@@ -0,0 +1,410 @@
+/**
+ * Security Headers Middleware
+ *
+ * Provides comprehensive security headers for HTTP responses including:
+ * - Content Security Policy (CSP) with configurable directives
+ * - Subresource Integrity (SRI) hash generation and validation
+ * - Standard security headers (HSTS, X-Frame-Options, etc.)
+ * - Nonce generation for inline scripts
+ * - Environment-specific CSP configurations
+ *
+ * @packageDocumentation
+ */
+import { randomBytes, createHash } from 'node:crypto';
+import { createLogger } from '../../common/logger.js';
+const logger = createLogger({ component: 'security-headers' });
+// ============================================================================
+// Default Configurations
+// ============================================================================
+/**
+ * Default security headers applied to all responses
+ */
+export const DEFAULT_SECURITY_HEADERS = {
+    'Content-Security-Policy': "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'",
+    'X-Content-Type-Options': 'nosniff',
+    'X-Frame-Options': 'DENY',
+    'X-XSS-Protection': '1; mode=block',
+    'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
+    'Referrer-Policy': 'strict-origin-when-cross-origin',
+    'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
+};
+/**
+ * Default CSP directives for APIs
+ */
+export const DEFAULT_API_CSP = {
+    'default-src': ["'self'"],
+    'script-src': ["'self'"],
+    'style-src': ["'self'", "'unsafe-inline'"],
+    'img-src': ["'self'", 'data:'],
+    'font-src': ["'self'"],
+    'connect-src': ["'self'"],
+    'object-src': ["'none'"],
+    'frame-ancestors': ["'none'"],
+    'base-uri': ["'self'"],
+    'form-action': ["'self'"],
+    'upgrade-insecure-requests': true,
+};
+/**
+ * CSP configuration for Swagger UI pages
+ */
+export const SWAGGER_UI_CSP = {
+    'default-src': ["'self'"],
+    'script-src': ["'self'"],
+    'style-src': ["'self'", "'unsafe-inline'"],
+    'img-src': ["'self'", 'data:', 'https://validator.swagger.io'],
+    'font-src': ["'self'"],
+    'connect-src': ["'self'"],
+    'object-src': ["'none'"],
+    'frame-ancestors': ["'none'"],
+    'base-uri': ["'self'"],
+    'form-action': ["'self'"],
+};
+/**
+ * Environment-specific CSP configurations
+ */
+export const ENVIRONMENT_CSP_CONFIG = {
+    development: {
+        'default-src': ["'self'"],
+        'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+        'style-src': ["'self'", "'unsafe-inline'"],
+        'img-src': ["'self'", 'data:', 'blob:'],
+        'font-src': ["'self'"],
+        'connect-src': ["'self'", 'ws:', 'wss:', 'http://localhost:*', 'https://localhost:*'],
+        'object-src': ["'none'"],
+        'frame-ancestors': ["'self'"],
+        'base-uri': ["'self'"],
+        'form-action': ["'self'"],
+    },
+    staging: {
+        'default-src': ["'self'"],
+        'script-src': ["'self'"],
+        'style-src': ["'self'", "'unsafe-inline'"],
+        'img-src': ["'self'", 'data:'],
+        'font-src': ["'self'"],
+        'connect-src': ["'self'"],
+        'object-src': ["'none'"],
+        'frame-ancestors': ["'none'"],
+        'base-uri': ["'self'"],
+        'form-action': ["'self'"],
+        'upgrade-insecure-requests': true,
+    },
+    production: {
+        'default-src': ["'self'"],
+        'script-src': ["'self'"],
+        'style-src': ["'self'", "'unsafe-inline'"],
+        'img-src': ["'self'", 'data:'],
+        'font-src': ["'self'"],
+        'connect-src': ["'self'"],
+        'object-src': ["'none'"],
+        'frame-ancestors': ["'none'"],
+        'base-uri': ["'self'"],
+        'form-action': ["'self'"],
+        'upgrade-insecure-requests': true,
+        'block-all-mixed-content': true,
+    },
+};
+// ============================================================================
+// Utility Functions
+// ============================================================================
+/**
+ * Generate a cryptographically secure nonce for CSP
+ *
+ * @returns Base64-encoded nonce string
+ */
+export function generateNonce() {
+    return randomBytes(16).toString('base64');
+}
+/**
+ * Generate Subresource Integrity (SRI) hash for content
+ *
+ * @param content - The content to hash (string or Buffer)
+ * @param algorithm - Hash algorithm to use (default: sha384)
+ * @returns SRI hash object with algorithm, hash, and full integrity value
+ */
+export function generateSriHash(content, algorithm = 'sha384') {
+    const hash = createHash(algorithm)
+        .update(content)
+        .digest('base64');
+    return {
+        algorithm,
+        hash,
+        integrity: `${algorithm}-${hash}`,
+    };
+}
+/**
+ * Verify content against SRI hash
+ *
+ * @param content - Content to verify
+ * @param expectedIntegrity - Expected integrity attribute value
+ * @returns True if content matches the hash
+ */
+export function verifySriHash(content, expectedIntegrity) {
+    // Parse the integrity value (e.g., "sha384-abc123")
+    const match = expectedIntegrity.match(/^(sha256|sha384|sha512)-(.+)$/);
+    if (!match) {
+        return false;
+    }
+    const [, algorithm, expectedHash] = match;
+    const actualHash = createHash(algorithm)
+        .update(content)
+        .digest('base64');
+    return actualHash === expectedHash;
+}
+/**
+ * Build CSP header string from directives object
+ *
+ * @param directives - CSP directives configuration
+ * @param nonce - Optional nonce to include in script-src and style-src
+ * @returns CSP header value string
+ */
+export function buildCspHeader(directives, nonce) {
+    const parts = [];
+    for (const [directive, value] of Object.entries(directives)) {
+        if (value === undefined)
+            continue;
+        // Handle boolean directives
+        if (typeof value === 'boolean') {
+            if (value) {
+                parts.push(directive);
+            }
+            continue;
+        }
+        // Handle string directives (report-uri, report-to)
+        if (typeof value === 'string') {
+            parts.push(`${directive} ${value}`);
+            continue;
+        }
+        // Handle array directives
+        if (Array.isArray(value)) {
+            let sources = [...value];
+            // Add nonce to script-src and style-src if provided
+            if (nonce && (directive === 'script-src' || directive === 'style-src')) {
+                sources.push(`'nonce-${nonce}'`);
+            }
+            parts.push(`${directive} ${sources.join(' ')}`);
+        }
+    }
+    return parts.join('; ');
+}
+/**
+ * Get CSP configuration for the current environment
+ *
+ * @param config - Environment CSP configuration
+ * @returns CSP directives for current environment
+ */
+export function getEnvironmentCsp(config) {
+    const env = process.env.NODE_ENV || 'development';
+    switch (env) {
+        case 'production':
+            return config.production;
+        case 'staging':
+        case 'test':
+            return config.staging;
+        default:
+            return config.development;
+    }
+}
+// ============================================================================
+// Middleware
+// ============================================================================
+/**
+ * Create security headers middleware for Fastify
+ *
+ * Applies comprehensive security headers to all responses including:
+ * - Content-Security-Policy with configurable directives
+ * - X-Content-Type-Options: nosniff
+ * - X-Frame-Options
+ * - X-XSS-Protection
+ * - Strict-Transport-Security (HSTS)
+ * - Referrer-Policy
+ * - Permissions-Policy
+ *
+ * @param options - Security headers configuration
+ * @returns Fastify onRequest hook function
+ *
+ * @example
+ * ```typescript
+ * // Basic usage with defaults
+ * server.addHook('onRequest', securityHeadersMiddleware());
+ *
+ * // With custom CSP
+ * server.addHook('onRequest', securityHeadersMiddleware({
+ *   csp: {
+ *     'default-src': ["'self'"],
+ *     'script-src': ["'self'", "'unsafe-inline'"],
+ *     'style-src': ["'self'", "'unsafe-inline'"],
+ *   }
+ * }));
+ *
+ * // With nonce generation for inline scripts
+ * server.addHook('onRequest', securityHeadersMiddleware({
+ *   useNonce: true,
+ * }));
+ * ```
+ */
+export function securityHeadersMiddleware(options = {}) {
+    const { noSniff = true, frameOptions = 'DENY', xssProtection = true, hsts = { maxAge: 31536000, includeSubDomains: true }, referrerPolicy = 'strict-origin-when-cross-origin', permissionsPolicy = 'geolocation=(), microphone=(), camera=()', useNonce = false, customHeaders = {}, excludePaths = [], } = options;
+    // Get CSP configuration
+    let cspDirectives;
+    if (options.csp === false) {
+        cspDirectives = false;
+    }
+    else if (options.environmentCsp) {
+        cspDirectives = getEnvironmentCsp(options.environmentCsp);
+    }
+    else if (options.csp) {
+        cspDirectives = options.csp;
+    }
+    else {
+        cspDirectives = DEFAULT_API_CSP;
+    }
+    return async (request, reply) => {
+        // Skip excluded paths
+        if (excludePaths.some((path) => request.url.startsWith(path))) {
+            return;
+        }
+        // Generate nonce if enabled
+        let nonce;
+        if (useNonce) {
+            nonce = generateNonce();
+            // Store nonce on request for use in templates
+            request.cspNonce = nonce;
+        }
+        // Apply CSP
+        if (cspDirectives !== false) {
+            const cspHeader = buildCspHeader(cspDirectives, nonce);
+            reply.header('Content-Security-Policy', cspHeader);
+        }
+        // X-Content-Type-Options
+        if (noSniff) {
+            reply.header('X-Content-Type-Options', 'nosniff');
+        }
+        // X-Frame-Options
+        if (frameOptions) {
+            reply.header('X-Frame-Options', frameOptions);
+        }
+        // X-XSS-Protection
+        if (xssProtection) {
+            reply.header('X-XSS-Protection', '1; mode=block');
+        }
+        // HSTS
+        if (hsts) {
+            let hstsValue = `max-age=${hsts.maxAge}`;
+            if (hsts.includeSubDomains) {
+                hstsValue += '; includeSubDomains';
+            }
+            if (hsts.preload) {
+                hstsValue += '; preload';
+            }
+            reply.header('Strict-Transport-Security', hstsValue);
+        }
+        // Referrer-Policy
+        if (referrerPolicy) {
+            reply.header('Referrer-Policy', referrerPolicy);
+        }
+        // Permissions-Policy
+        if (permissionsPolicy) {
+            reply.header('Permissions-Policy', permissionsPolicy);
+        }
+        // Custom headers
+        for (const [name, value] of Object.entries(customHeaders)) {
+            reply.header(name, value);
+        }
+    };
+}
+/**
+ * Create security headers middleware specifically for Swagger UI
+ *
+ * Applies CSP and security headers optimized for Swagger UI pages
+ * that serve self-hosted Swagger UI assets.
+ *
+ * @param options - Additional security header options
+ * @returns Fastify onRequest hook function
+ */
+export function swaggerSecurityHeaders(options = {}) {
+    return securityHeadersMiddleware({
+        ...options,
+        csp: SWAGGER_UI_CSP,
+    });
+}
+/**
+ * Apply default security headers to a FastifyReply
+ *
+ * Convenience function to apply all default security headers
+ * to a single response without middleware registration.
+ *
+ * @param reply - Fastify reply object
+ * @param csp - Optional CSP directives (defaults to API CSP)
+ */
+export function applySecurityHeaders(reply, csp) {
+    // Apply CSP
+    if (csp !== false) {
+        const cspHeader = buildCspHeader(csp ?? DEFAULT_API_CSP);
+        reply.header('Content-Security-Policy', cspHeader);
+    }
+    // Apply other security headers
+    reply.header('X-Content-Type-Options', 'nosniff');
+    reply.header('X-Frame-Options', 'DENY');
+    reply.header('X-XSS-Protection', '1; mode=block');
+    reply.header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+    reply.header('Referrer-Policy', 'strict-origin-when-cross-origin');
+    reply.header('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
+}
+// ============================================================================
+// Plugin Registration
+// ============================================================================
+/**
+ * Register security headers plugin for Fastify
+ *
+ * Registers the security headers middleware as a Fastify plugin,
+ * applying headers to all requests by default.
+ *
+ * @param server - Fastify instance
+ * @param options - Security headers configuration
+ *
+ * @example
+ * ```typescript
+ * await server.register(registerSecurityHeadersPlugin, {
+ *   environmentCsp: ENVIRONMENT_CSP_CONFIG,
+ *   useNonce: true,
+ *   excludePaths: ['/health', '/metrics'],
+ * });
+ * ```
+ */
+export async function registerSecurityHeadersPlugin(server, options = {}) {
+    const middleware = securityHeadersMiddleware(options);
+    // Add security headers to all requests
+    server.addHook('onRequest', middleware);
+    // Decorate server with utility functions
+    server.decorate('generateCspNonce', generateNonce);
+    server.decorate('generateSriHash', generateSriHash);
+    server.decorate('verifySriHash', verifySriHash);
+    logger.info({ excludePaths: options.excludePaths, useNonce: options.useNonce }, 'Security headers plugin registered');
+}
+// ============================================================================
+// SRI Hash Generation for Swagger UI Assets
+// ============================================================================
+/**
+ * Pre-computed SRI hashes for Swagger UI 5.x assets
+ *
+ * These hashes should be updated when Swagger UI version changes.
+ * Use generateSriHashForFile() to regenerate hashes.
+ *
+ * Note: When self-hosting, generate hashes from your actual files.
+ */
+export const SWAGGER_UI_SRI_HASHES = {
+    // These are placeholders - actual hashes must be generated from the specific files
+    css: 'sha384-PLACEHOLDER-GENERATE-FROM-ACTUAL-FILE',
+    bundle: 'sha384-PLACEHOLDER-GENERATE-FROM-ACTUAL-FILE',
+    standalonePreset: 'sha384-PLACEHOLDER-GENERATE-FROM-ACTUAL-FILE',
+};
+/**
+ * Generate SRI hash for a file (for build-time hash generation)
+ *
+ * @param content - File content as string or Buffer
+ * @returns SRI integrity attribute value
+ */
+export function generateSriHashForFile(content) {
+    return generateSriHash(content, 'sha384').integrity;
+}
+//# sourceMappingURL=security-headers.js.map

package/dist/api/middleware/security-headers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../../../src/api/middleware/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAEtD,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAsF/D,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAA2B;IAC9D,yBAAyB,EAAE,yEAAyE;IACpG,wBAAwB,EAAE,SAAS;IACnC,iBAAiB,EAAE,MAAM;IACzB,kBAAkB,EAAE,eAAe;IACnC,2BAA2B,EAAE,qCAAqC;IAClE,iBAAiB,EAAE,iCAAiC;IACpD,oBAAoB,EAAE,0CAA0C;CACjE,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAkB;IAC5C,aAAa,EAAE,CAAC,QAAQ,CAAC;IACzB,YAAY,EAAE,CAAC,QAAQ,CAAC;IACxB,WAAW,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;IAC1C,SAAS,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC9B,UAAU,EAAE,CAAC,QAAQ,CAAC;IACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;IACzB,YAAY,EAAE,CAAC,QAAQ,CAAC;IACxB,iBAAiB,EAAE,CAAC,QAAQ,CAAC;IAC7B,UAAU,EAAE,CAAC,QAAQ,CAAC;IACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;IACzB,2BAA2B,EAAE,IAAI;CAClC,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAkB;IAC3C,aAAa,EAAE,CAAC,QAAQ,CAAC;IACzB,YAAY,EAAE,CAAC,QAAQ,CAAC;IACxB,WAAW,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;IAC1C,SAAS,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,8BAA8B,CAAC;IAC9D,UAAU,EAAE,CAAC,QAAQ,CAAC;IACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;IACzB,YAAY,EAAE,CAAC,QAAQ,CAAC;IACxB,iBAAiB,EAAE,CAAC,QAAQ,CAAC;IAC7B,UAAU,EAAE,CAAC,QAAQ,CAAC;IACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAyB;IAC1D,WAAW,EAAE;QACX,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,YAAY,EAAE,CAAC,QAAQ,EAAE,iBAAiB,EAAE,eAAe,CAAC;QAC5D,WAAW,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;QAC1C,SAAS,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC;QACvC,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,aAAa,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,qBAAqB,CAAC;QACrF,YAAY,EAAE,CAAC,QAAQ,CAAC;QACxB,iBAAiB,EAAE,CAAC,QAAQ,CAAC;QAC7B,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;KAC1B;IACD,OAAO,EAAE;QACP,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,YAAY,EAAE,CAAC,QAAQ,CAAC;QACxB,WAAW,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;QAC1C,SAAS,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC;QAC9B,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,YAAY,EAAE,CAAC,QAAQ,CAAC;QACxB,iBAAiB,EAAE,CAAC,QAAQ,CAAC;QAC7B,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,2BAA2B,EAAE,IAAI;KAClC;IACD,UAAU,EAAE;QACV,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,YAAY,EAAE,CAAC,QAAQ,CAAC;QACxB,WAAW,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;QAC1C,SAAS,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC;QAC9B,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,YAAY,EAAE,CAAC,QAAQ,CAAC;QACxB,iBAAiB,EAAE,CAAC,QAAQ,CAAC;QAC7B,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,2BAA2B,EAAE,IAAI;QACjC,yBAAyB,EAAE,IAAI;KAChC;CACF,CAAC;AAEF,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;GAIG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAC7B,OAAwB,EACxB,YAA4C,QAAQ;IAEpD,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC;SAC/B,MAAM,CAAC,OAAO,CAAC;SACf,MAAM,CAAC,QAAQ,CAAC,CAAC;IAEpB,OAAO;QACL,SAAS;QACT,IAAI;QACJ,SAAS,EAAE,GAAG,SAAS,IAAI,IAAI,EAAE;KAClC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,OAAwB,EAAE,iBAAyB;IAC/E,oDAAoD;IACpD,MAAM,KAAK,GAAG,iBAAiB,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACvE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,CAAC,EAAE,SAAS,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;IAC1C,MAAM,UAAU,GAAG,UAAU,CAAC,SAA2C,CAAC;SACvE,MAAM,CAAC,OAAO,CAAC;SACf,MAAM,CAAC,QAAQ,CAAC,CAAC;IAEpB,OAAO,UAAU,KAAK,YAAY,CAAC;AACrC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,UAAyB,EAAE,KAAc;IACtE,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5D,IAAI,KAAK,KAAK,SAAS;YAAE,SAAS;QAElC,4BAA4B;QAC5B,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,CAAC;YAC/B,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC;YACD,SAAS;QACX,CAAC;QAED,mDAAmD;QACnD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,KAAK,CAAC,IAAI,CAAC,GAAG,SAAS,IAAI,KAAK,EAAE,CAAC,CAAC;YACpC,SAAS;QACX,CAAC;QAED,0BAA0B;QAC1B,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;YAEzB,oDAAoD;YACpD,IAAI,KAAK,IAAI,CAAC,SAAS,KAAK,YAAY,IAAI,SAAS,KAAK,WAAW,CAAC,EAAE,CAAC;gBACvE,OAAO,CAAC,IAAI,CAAC,UAAU,KAAK,GAAG,CAAC,CAAC;YACnC,CAAC;YAED,KAAK,CAAC,IAAI,CAAC,GAAG,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAA4B;IAC5D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,aAAa,CAAC;IAElD,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,YAAY;YACf,OAAO,MAAM,CAAC,UAAU,CAAC;QAC3B,KAAK,SAAS,CAAC;QACf,KAAK,MAAM;YACT,OAAO,MAAM,CAAC,OAAO,CAAC;QACxB;YACE,OAAO,MAAM,CAAC,WAAW,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,aAAa;AACb,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAM,UAAU,yBAAyB,CACvC,UAAkC,EAAE;IAEpC,MAAM,EACJ,OAAO,GAAG,IAAI,EACd,YAAY,GAAG,MAAM,EACrB,aAAa,GAAG,IAAI,EACpB,IAAI,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,IAAI,EAAE,EACpD,cAAc,GAAG,iCAAiC,EAClD,iBAAiB,GAAG,0CAA0C,EAC9D,QAAQ,GAAG,KAAK,EAChB,aAAa,GAAG,EAAE,EAClB,YAAY,GAAG,EAAE,GAClB,GAAG,OAAO,CAAC;IAEZ,wBAAwB;IACxB,IAAI,aAAoC,CAAC;IACzC,IAAI,OAAO,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;QAC1B,aAAa,GAAG,KAAK,CAAC;IACxB,CAAC;SAAM,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QAClC,aAAa,GAAG,iBAAiB,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAC5D,CAAC;SAAM,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QACvB,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC;IAC9B,CAAC;SAAM,CAAC;QACN,aAAa,GAAG,eAAe,CAAC;IAClC,CAAC;IAED,OAAO,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAiB,EAAE;QAC3E,sBAAsB;QACtB,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,4BAA4B;QAC5B,IAAI,KAAyB,CAAC;QAC9B,IAAI,QAAQ,EAAE,CAAC;YACb,KAAK,GAAG,aAAa,EAAE,CAAC;YACxB,8CAA8C;YAC7C,OAAiD,CAAC,QAAQ,GAAG,KAAK,CAAC;QACtE,CAAC;QAED,YAAY;QACZ,IAAI,aAAa,KAAK,KAAK,EAAE,CAAC;YAC5B,MAAM,SAAS,GAAG,cAAc,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;YACvD,KAAK,CAAC,MAAM,CAAC,yBAAyB,EAAE,SAAS,CAAC,CAAC;QACrD,CAAC;QAED,yBAAyB;QACzB,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,CAAC,MAAM,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAC;QACpD,CAAC;QAED,kBAAkB;QAClB,IAAI,YAAY,EAAE,CAAC;YACjB,KAAK,CAAC,MAAM,CAAC,iBAAiB,EAAE,YAAY,CAAC,CAAC;QAChD,CAAC;QAED,mBAAmB;QACnB,IAAI,aAAa,EAAE,CAAC;YAClB,KAAK,CAAC,MAAM,CAAC,kBAAkB,EAAE,eAAe,CAAC,CAAC;QACpD,CAAC;QAED,OAAO;QACP,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,SAAS,GAAG,WAAW,IAAI,CAAC,MAAM,EAAE,CAAC;YACzC,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC3B,SAAS,IAAI,qBAAqB,CAAC;YACrC,CAAC;YACD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjB,SAAS,IAAI,WAAW,CAAC;YAC3B,CAAC;YACD,KAAK,CAAC,MAAM,CAAC,2BAA2B,EAAE,SAAS,CAAC,CAAC;QACvD,CAAC;QAED,kBAAkB;QAClB,IAAI,cAAc,EAAE,CAAC;YACnB,KAAK,CAAC,MAAM,CAAC,iBAAiB,EAAE,cAAc,CAAC,CAAC;QAClD,CAAC;QAED,qBAAqB;QACrB,IAAI,iBAAiB,EAAE,CAAC;YACtB,KAAK,CAAC,MAAM,CAAC,oBAAoB,EAAE,iBAAiB,CAAC,CAAC;QACxD,CAAC;QAED,iBAAiB;QACjB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAC1D,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,sBAAsB,CACpC,UAA+C,EAAE;IAEjD,OAAO,yBAAyB,CAAC;QAC/B,GAAG,OAAO;QACV,GAAG,EAAE,cAAc;KACpB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAClC,KAAmB,EACnB,GAA2B;IAE3B,YAAY;IACZ,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAClB,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,IAAI,eAAe,CAAC,CAAC;QACzD,KAAK,CAAC,MAAM,CAAC,yBAAyB,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC;IAED,+BAA+B;IAC/B,KAAK,CAAC,MAAM,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAC;IAClD,KAAK,CAAC,MAAM,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACxC,KAAK,CAAC,MAAM,CAAC,kBAAkB,EAAE,eAAe,CAAC,CAAC;IAClD,KAAK,CAAC,MAAM,CAAC,2BAA2B,EAAE,qCAAqC,CAAC,CAAC;IACjF,KAAK,CAAC,MAAM,CAAC,iBAAiB,EAAE,iCAAiC,CAAC,CAAC;IACnE,KAAK,CAAC,MAAM,CAAC,oBAAoB,EAAE,0CAA0C,CAAC,CAAC;AACjF,CAAC;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,MAAuB,EACvB,UAAkC,EAAE;IAEpC,MAAM,UAAU,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;IAEtD,uCAAuC;IACvC,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IAExC,yCAAyC;IACzC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,EAAE,aAAa,CAAC,CAAC;IACnD,MAAM,CAAC,QAAQ,CAAC,iBAAiB,EAAE,eAAe,CAAC,CAAC;IACpD,MAAM,CAAC,QAAQ,CAAC,eAAe,EAAE,aAAa,CAAC,CAAC;IAEhD,MAAM,CAAC,IAAI,CACT,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,EAClE,oCAAoC,CACrC,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,4CAA4C;AAC5C,+EAA+E;AAE/E;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,mFAAmF;IACnF,GAAG,EAAE,8CAA8C;IACnD,MAAM,EAAE,8CAA8C;IACtD,gBAAgB,EAAE,8CAA8C;CACxD,CAAC;AAEX;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAwB;IAC7D,OAAO,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,SAAS,CAAC;AACtD,CAAC"}

package/dist/api/middleware/security.d.ts

@@ -0,0 +1,156 @@
+/**
+ * Security Middleware
+ *
+ * Provides security headers, request ID injection, request logging,
+ * and sensitive data masking for production API hardening.
+ *
+ * @packageDocumentation
+ */
+import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
+/** Type for onRequest hook function */
+type OnRequestFn = (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+/** Type for onResponse hook function */
+type OnResponseFn = (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+/** Type for preHandler hook function */
+type PreHandlerFn = (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+/**
+ * Security headers configuration
+ */
+export interface SecurityHeadersConfig {
+    /** Enable CORS headers */
+    cors?: boolean | CorsConfig;
+    /** Enable Content Security Policy */
+    csp?: boolean | CspConfig;
+    /** Enable HSTS (HTTP Strict Transport Security) */
+    hsts?: boolean | HstsConfig;
+    /** Enable X-Content-Type-Options: nosniff */
+    noSniff?: boolean;
+    /** Enable X-Frame-Options */
+    frameOptions?: 'DENY' | 'SAMEORIGIN' | false;
+    /** Enable X-XSS-Protection */
+    xssProtection?: boolean;
+    /** Enable Referrer-Policy */
+    referrerPolicy?: string | false;
+    /** Enable Permissions-Policy */
+    permissionsPolicy?: string | false;
+    /** Custom headers to add */
+    customHeaders?: Record<string, string>;
+}
+/**
+ * CORS configuration
+ */
+export interface CorsConfig {
+    origin: string | string[] | boolean | ((origin: string) => boolean);
+    methods?: string[];
+    allowedHeaders?: string[];
+    exposedHeaders?: string[];
+    credentials?: boolean;
+    maxAge?: number;
+}
+/**
+ * CSP configuration
+ */
+export interface CspConfig {
+    defaultSrc?: string[];
+    scriptSrc?: string[];
+    styleSrc?: string[];
+    imgSrc?: string[];
+    connectSrc?: string[];
+    fontSrc?: string[];
+    objectSrc?: string[];
+    mediaSrc?: string[];
+    frameSrc?: string[];
+    childSrc?: string[];
+    workerSrc?: string[];
+    frameAncestors?: string[];
+    formAction?: string[];
+    upgradeInsecureRequests?: boolean;
+    blockAllMixedContent?: boolean;
+    reportUri?: string;
+}
+/**
+ * HSTS configuration
+ */
+export interface HstsConfig {
+    maxAge: number;
+    includeSubDomains?: boolean;
+    preload?: boolean;
+}
+/**
+ * Request logging configuration
+ */
+export interface RequestLoggingConfig {
+    /** Log request start */
+    logRequest?: boolean;
+    /** Log response completion */
+    logResponse?: boolean;
+    /** Log request body (be careful with sensitive data) */
+    logBody?: boolean;
+    /** Log response body */
+    logResponseBody?: boolean;
+    /** Maximum body size to log (bytes) */
+    maxBodyLogSize?: number;
+    /** Paths to exclude from logging */
+    excludePaths?: string[];
+    /** Headers to exclude from logging */
+    excludeHeaders?: string[];
+    /** Fields to mask in body */
+    sensitiveFields?: string[];
+}
+/**
+ * Mask sensitive data in an object
+ */
+export declare function maskSensitiveData(obj: unknown, sensitiveFields?: string[], maxDepth?: number): unknown;
+/**
+ * Create security headers middleware
+ *
+ * @param config - Security headers configuration
+ * @returns Fastify onRequest hook
+ */
+export declare function securityHeaders(config?: SecurityHeadersConfig): OnRequestFn;
+/**
+ * Create request ID injection middleware
+ *
+ * Injects a unique request ID into each request for tracing and debugging.
+ *
+ * @returns Fastify onRequest hook
+ */
+export declare function requestIdInjection(): OnRequestFn;
+/**
+ * Create request logging middleware
+ *
+ * @param config - Logging configuration
+ * @returns Object with onRequest and onResponse hooks
+ */
+export declare function requestLogging(config?: RequestLoggingConfig): {
+    onRequest: OnRequestFn;
+    onResponse: OnResponseFn;
+};
+/**
+ * Combined security middleware that applies all security features
+ *
+ * @param options - Configuration options
+ * @returns Fastify preHandler hook
+ */
+export declare function combinedSecurityMiddleware(options?: {
+    headers?: SecurityHeadersConfig;
+    logging?: RequestLoggingConfig;
+}): PreHandlerFn;
+/**
+ * Register security middleware plugin for Fastify
+ *
+ * @param server - Fastify instance
+ * @param options - Configuration options
+ */
+export declare function registerSecurityPlugin(server: FastifyInstance, options?: {
+    headers?: SecurityHeadersConfig;
+    logging?: RequestLoggingConfig;
+    /** Skip security for certain paths */
+    skipPaths?: string[];
+}): Promise<void>;
+/**
+ * Create timing-safe string comparison to prevent timing attacks
+ */
+export declare function timingSafeEqual(a: string, b: string): boolean;
+export {};
+//# sourceMappingURL=security.d.ts.map

package/dist/api/middleware/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/security.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE7E,uCAAuC;AACvC,KAAK,WAAW,GAAG,CAAC,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AACnF,wCAAwC;AACxC,KAAK,YAAY,GAAG,CAAC,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AACpF,wCAAwC;AACxC,KAAK,YAAY,GAAG,CAAC,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AASpF;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,0BAA0B;IAC1B,IAAI,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC;IAC5B,qCAAqC;IACrC,GAAG,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IAC1B,mDAAmD;IACnD,IAAI,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC;IAC5B,6CAA6C;IAC7C,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,6BAA6B;IAC7B,YAAY,CAAC,EAAE,MAAM,GAAG,YAAY,GAAG,KAAK,CAAC;IAC7C,8BAA8B;IAC9B,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,6BAA6B;IAC7B,cAAc,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IAChC,gCAAgC;IAChC,iBAAiB,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IACnC,4BAA4B;IAC5B,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACxC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,OAAO,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC;IACpE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,wBAAwB;IACxB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,8BAA8B;IAC9B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,wDAAwD;IACxD,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,wBAAwB;IACxB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,uCAAuC;IACvC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,oCAAoC;IACpC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,sCAAsC;IACtC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,6BAA6B;IAC7B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AA2HD;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,GAAG,EAAE,OAAO,EACZ,eAAe,GAAE,MAAM,EAA4C,EACnE,QAAQ,GAAE,MAAW,GACpB,OAAO,CAmCT;AAuBD;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,MAAM,GAAE,qBAA0B,GAAG,WAAW,CAoD/E;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,IAAI,WAAW,CA2BhD;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,MAAM,GAAE,oBAAyB,GAAG;IACjE,SAAS,EAAE,WAAW,CAAC;IACvB,UAAU,EAAE,YAAY,CAAC;CAC1B,CAgGA;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,CAAC,EAAE;IACnD,OAAO,CAAC,EAAE,qBAAqB,CAAC;IAChC,OAAO,CAAC,EAAE,oBAAoB,CAAC;CAChC,GAAG,YAAY,CAQf;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,eAAe,EACvB,OAAO,CAAC,EAAE;IACR,OAAO,CAAC,EAAE,qBAAqB,CAAC;IAChC,OAAO,CAAC,EAAE,oBAAoB,CAAC;IAC/B,sCAAsC;IACtC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB,GACA,OAAO,CAAC,IAAI,CAAC,CAgCf;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAY7D"}