securenow 5.8.0 → 5.9.0

package/CONSUMING-APPS-GUIDE.md

@@ -362,6 +362,14 @@ OTEL_EXPORTER_OTLP_HEADERS="x-api-key=KEY"
 SECURENOW_APPID=my-app                   # Your app name
 OTEL_SERVICE_NAME=my-app                 # Alternative
 
+# Request Body Capture
+SECURENOW_CAPTURE_BODY=1                 # Capture JSON/form/GraphQL request bodies
+SECURENOW_MAX_BODY_SIZE=10240            # Max body size in bytes (default: 10KB)
+SECURENOW_SENSITIVE_FIELDS="field1,field2" # Additional fields to redact
+
+# Multipart Body Capture (v5.8.0+)
+SECURENOW_CAPTURE_MULTIPART=1            # Capture multipart field values & file metadata (streaming)
+
 # Debugging
 OTEL_LOG_LEVEL=debug                     # Enable debug output
 ```

package/NPM_README.md

@@ -903,6 +903,7 @@ export default defineNuxtConfig({
 | `SECURENOW_CAPTURE_BODY` | Enable request body capture in traces. Set to `1` to enable. | `0` |
 | `SECURENOW_MAX_BODY_SIZE` | Maximum body size to capture in bytes. Bodies larger than this are truncated. | `10240` (10KB) |
 | `SECURENOW_SENSITIVE_FIELDS` | Comma-separated list of additional field names to redact. | - |
+| `SECURENOW_CAPTURE_MULTIPART` | Enable multipart/form-data capture. Streams through the request to extract text field values and file metadata (name, filename, content-type, size) without buffering file content. Set to `1` to enable. | `0` |
 
 **Default sensitive fields (auto-redacted):** `password`, `passwd`, `pwd`, `secret`, `token`, `api_key`, `apikey`, `access_token`, `auth`, `credentials`, `mysql_pwd`, `stripeToken`, `card`, `cardnumber`, `ccv`, `cvc`, `cvv`, `ssn`, `pin`
 
@@ -1018,8 +1019,28 @@ export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
 - `application/json`
 - `application/x-www-form-urlencoded`
 - `application/graphql`
+- `multipart/form-data` (requires `SECURENOW_CAPTURE_MULTIPART=1`)
 
-**Note:** Multipart form data (file uploads) are NOT captured by design.
+### Multipart Body Capture (v5.8.0+)
+
+Enable with `SECURENOW_CAPTURE_MULTIPART=1` to capture multipart/form-data requests. Uses a streaming parser that never buffers file content — memory stays at ~few KB regardless of upload size.
+
+**What gets captured:**
+- **Text fields** — field name and value (up to 1000 chars), with sensitive fields auto-redacted
+- **File fields** — metadata only: field name, filename, content-type, and size in bytes
+
+**Example trace attribute:**
+```json
+{
+  "fields": { "description": "My upload", "token": "[REDACTED]" },
+  "files": [
+    { "field": "avatar", "filename": "photo.jpg", "contentType": "image/jpeg", "size": 524288 },
+    { "field": "resume", "filename": "cv.pdf", "contentType": "application/pdf", "size": 1048576 }
+  ]
+}
+```
+
+File binary content is never stored in traces.
 
 ### Sensitive Data Redaction
 

package/README.md

@@ -168,6 +168,9 @@ OTEL_EXPORTER_OTLP_HEADERS="x-api-key=..."  # Authentication headers
 SECURENOW_CAPTURE_BODY=1                    # Capture request bodies in traces
 SECURENOW_MAX_BODY_SIZE=10240               # Max body size in bytes
 SECURENOW_SENSITIVE_FIELDS="field1,field2"  # Additional fields to redact
+
+# Optional: Multipart body capture (file upload metadata)
+SECURENOW_CAPTURE_MULTIPART=1               # Capture multipart field names, values & file metadata
 ```
 
 ### Legacy Environment Variables (still supported)

package/cli/auth.js

@@ -10,7 +10,7 @@ function openBrowser(url) {
   try {
     const platform = process.platform;
     if (platform === 'darwin') execFileSync('open', [url], { stdio: 'ignore' });
-    else if (platform === 'win32') execFileSync('cmd', ['/c', 'start', '', url], { stdio: 'ignore' });
+    else if (platform === 'win32') execFileSync('rundll32', ['url.dll,FileProtocolHandler', url], { stdio: 'ignore' });
     else execFileSync('xdg-open', [url], { stdio: 'ignore' });
     return true;
   } catch {

package/cli/config.js

@@ -32,6 +32,12 @@ function loadJSON(filepath) {
 function saveJSON(filepath, data) {
   ensureDir();
   fs.writeFileSync(filepath, JSON.stringify(data, null, 2), { encoding: 'utf8', mode: 0o600 });
+  if (process.platform === 'win32') {
+    try {
+      const { execFileSync } = require('child_process');
+      execFileSync('icacls', [filepath, '/inheritance:r', '/grant:r', `${process.env.USERNAME}:F`], { stdio: 'ignore' });
+    } catch (_) {}
+  }
 }
 
 function loadConfig() {

package/docs/ENVIRONMENT-VARIABLES.md

@@ -16,6 +16,7 @@ Complete reference for all environment variables supported by SecureNow.
 | **SECURENOW_CAPTURE_BODY** | Optional | `0` | Enable request body capture |
 | **SECURENOW_MAX_BODY_SIZE** | Optional | `10240` | Max body size in bytes |
 | **SECURENOW_SENSITIVE_FIELDS** | Optional | - | Comma-separated list of fields to redact |
+| **SECURENOW_CAPTURE_MULTIPART** | Optional | `0` | Enable multipart/form-data streaming capture |
 | **SECURENOW_DISABLE_INSTRUMENTATIONS** | Optional | - | Comma-separated list of packages to disable |
 | **SECURENOW_TEST_SPAN** | Optional | `0` | Emit test span on startup |
 | **OTEL_SERVICE_NAME** | Optional | - | Alternative to SECURENOW_APPID |
@@ -279,8 +280,8 @@ export SECURENOW_CAPTURE_BODY=1
 - `application/x-www-form-urlencoded`
 - `application/graphql`
 
-**Not captured:**
-- `multipart/form-data` (file uploads)
+**Not captured (unless separately enabled):**
+- `multipart/form-data` — requires `SECURENOW_CAPTURE_MULTIPART=1` (see below)
 - Bodies larger than `SECURENOW_MAX_BODY_SIZE`
 
 **Security:**
@@ -346,6 +347,50 @@ export SECURENOW_SENSITIVE_FIELDS="custom_secret,private_data,internal_id"
 
 ---
 
+### SECURENOW_CAPTURE_MULTIPART
+
+**Description:** Enable capture of `multipart/form-data` request bodies (file upload metadata and text fields). Uses a streaming parser that processes boundary markers on the fly — file binary content is never buffered or stored.
+
+**Format:** `1` (enabled) or `0` (disabled)
+
+**Default:** `0` (disabled)
+
+**Example:**
+```bash
+export SECURENOW_CAPTURE_MULTIPART=1
+```
+
+**What gets captured:**
+- **Text fields** — field name and value (up to 1000 characters), with sensitive fields auto-redacted
+- **File fields** — metadata only: field name, filename, content-type, and size in bytes (no binary content)
+
+**Example span attribute (`http.request.body`):**
+```json
+{
+  "fields": { "description": "My upload", "token": "[REDACTED]" },
+  "files": [
+    { "field": "avatar", "filename": "photo.jpg", "contentType": "image/jpeg", "size": 524288 },
+    { "field": "document", "filename": "report.pdf", "contentType": "application/pdf", "size": 1048576 }
+  ]
+}
+```
+
+**Additional span attributes set:**
+- `http.request.body.type` = `"multipart"`
+- `http.request.body.size` — total raw request body size in bytes
+- `http.request.body.fields_count` — number of text fields
+- `http.request.body.files_count` — number of file fields
+
+**Memory:** Bounded at ~few KB regardless of upload size (streaming parser discards file content as it passes through).
+
+**Parts limit:** 100 parts maximum per request (safety guard).
+
+**Requires:** `SECURENOW_CAPTURE_BODY=1` must also be set (multipart capture is gated behind general body capture).
+
+**Since:** v5.8.0
+
+---
+
 ## Instrumentation Control
 
 ### SECURENOW_DISABLE_INSTRUMENTATIONS

package/docs/EXPRESS-BODY-CAPTURE.md

@@ -192,6 +192,7 @@ import express from 'express';
 | `SECURENOW_CAPTURE_BODY` | Enable body capture (`1` or `true`) | `0` (disabled) |
 | `SECURENOW_MAX_BODY_SIZE` | Max body size in bytes | `10240` (10KB) |
 | `SECURENOW_SENSITIVE_FIELDS` | Comma-separated additional sensitive fields | (see below) |
+| `SECURENOW_CAPTURE_MULTIPART` | Enable multipart/form-data streaming capture (`1` or `true`) | `0` (disabled) |
 
 ### Default Sensitive Fields
 
@@ -274,10 +275,10 @@ pm2 logs express-api --lines 100
 | `application/json` | ✅ Yes | ✅ Yes | ✅ Yes |
 | `application/graphql` | ✅ Yes | ✅ Yes | ✅ Yes |
 | `application/x-www-form-urlencoded` | ✅ Yes | ✅ Yes | ✅ Yes |
-| `multipart/form-data` | ❌ No | N/A | N/A |
+| `multipart/form-data` | ✅ Metadata | ✅ Streaming | ✅ Yes |
 | `text/plain` | ❌ No | N/A | N/A |
 
-**Note**: File uploads (`multipart/form-data`) are intentionally NOT captured for performance and privacy reasons.
+**Note**: Multipart capture requires `SECURENOW_CAPTURE_MULTIPART=1` (v5.8.0+). Uses a streaming parser — text field values and file metadata (name, filename, content-type, size) are captured; file binary content is never buffered or stored.
 
 ## 🔍 Example: Complete Express + PM2 Setup
 

package/docs/REQUEST-BODY-CAPTURE.md

@@ -55,16 +55,24 @@ SECURENOW_SENSITIVE_FIELDS=credit_card,email,phone
    ```
    Parsed into object and sensitive fields redacted.
 
-4. **Multipart** (`multipart/form-data`) - ❌ NOT Captured
-   ```
-   [MULTIPART - NOT CAPTURED]
+4. **Multipart** (`multipart/form-data`) - ✅ Streaming Metadata Capture (v5.8.0+)
+
+   Requires `SECURENOW_CAPTURE_MULTIPART=1`. Uses a streaming parser — file binary content is never buffered.
+
+   ```json
+   {
+     "fields": { "description": "Profile update", "token": "[REDACTED]" },
+     "files": [
+       { "field": "avatar", "filename": "photo.jpg", "contentType": "image/jpeg", "size": 524288 }
+     ]
+   }
    ```
-   *File uploads are not captured at all (by design) - too large and unnecessary*
+   Text field values are captured with sensitive-field redaction. File parts record metadata only (field, filename, content-type, size). Memory stays at ~few KB regardless of upload size.
 
 ### ❌ What's NOT Captured
 
 - GET requests (no body)
-- File uploads (too large)
+- File binary content (only metadata when multipart capture is enabled)
 - Bodies larger than max size
 - Binary data
 - Non-POST/PUT/PATCH requests
@@ -218,6 +226,7 @@ mutation Login {
 | `SECURENOW_CAPTURE_BODY` | `0` (disabled) | Enable body capture |
 | `SECURENOW_MAX_BODY_SIZE` | `10240` (10KB) | Maximum body size to capture |
 | `SECURENOW_SENSITIVE_FIELDS` | `` | Comma-separated custom sensitive fields |
+| `SECURENOW_CAPTURE_MULTIPART` | `0` (disabled) | Enable multipart/form-data streaming capture (v5.8.0+) |
 
 ### Programmatic (Next.js)
 
@@ -529,7 +538,7 @@ SECURENOW_SENSITIVE_FIELDS=""  # Don't do this!
 
 ### Q: Does this work with file uploads?
 
-**A:** No, multipart/form-data is not captured (by design). Only metadata is logged.
+**A:** Yes! Since v5.8.0, set `SECURENOW_CAPTURE_MULTIPART=1` to capture multipart/form-data requests. The streaming parser extracts text field values and file metadata (name, filename, content-type, size) without ever buffering file binary content. Memory stays bounded at ~few KB regardless of upload size.
 
 ### Q: What's the performance impact?
 

package/free-trial-banner.js

@@ -107,7 +107,8 @@ function patchHttpForBanner() {
       if (res._snIsHtml === undefined) {
         var ct = res.getHeader('content-type');
         var ce = res.getHeader('content-encoding');
-        res._snIsHtml = !!(ct && String(ct).includes('text/html') && !ce);
+        var csp = res.getHeader('content-security-policy');
+        res._snIsHtml = !!(ct && String(ct).includes('text/html') && !ce && !csp);
       }
       if (!res._snIsHtml) {
         res._snBannerDone = true;
@@ -136,6 +137,11 @@ function patchHttpForBanner() {
         if (modified !== chunk) {
           var enc = typeof encoding === 'function' ? 'utf8' : encoding;
           var callback = typeof encoding === 'function' ? encoding : cb;
+          try {
+            if (this.getHeader('content-length')) {
+              this.setHeader('content-length', Buffer.byteLength(modified));
+            }
+          } catch (_) { /* headers already sent */ }
           return _origWrite.call(this, modified, enc, callback);
         }
       } catch (_) { /* never break the app */ }

package/nextjs-auto-capture.js

@@ -33,7 +33,7 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
     
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {

package/nextjs-middleware.js

@@ -27,12 +27,16 @@ const DEFAULT_SENSITIVE_FIELDS = [
 /**
  * Redact sensitive fields from an object
  */
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   if (!obj || typeof obj !== 'object') return obj;
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
     
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
@@ -54,9 +58,10 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   let redacted = query;
   
   sensitiveFields.forEach(field => {
+    const escaped = escapeRegex(field);
     const patterns = [
-      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
     ];
     
     patterns.forEach(pattern => {

package/nextjs-wrapper.js

@@ -32,7 +32,7 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
     
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.8.0",
+  "version": "5.9.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.js

@@ -53,6 +53,10 @@ const DEFAULT_SENSITIVE_FIELDS = [
   'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
 ];
 
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 /**
  * Redact sensitive fields from an object
  */
@@ -61,7 +65,7 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
     
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
@@ -84,10 +88,10 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   // Redact sensitive fields in GraphQL arguments and variables
   sensitiveFields.forEach(field => {
-    // Match patterns: field: "value" or field: 'value' or field:"value"
+    const escaped = escapeRegex(field);
     const patterns = [
-      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
     ];
     
     patterns.forEach(pattern => {
@@ -118,7 +122,7 @@ function collectMultipartMeta(request, contentType, sensitiveFields, maxTextFiel
   const boundary = extractBoundary(contentType);
   if (!boundary) { onComplete({ error: 'BOUNDARY_NOT_FOUND' }); return; }
 
-  const result = { fields: {}, files: [] };
+  const result = { fields: Object.create(null), files: [] };
   let totalSize = 0;
   let buf = Buffer.alloc(0);
 
@@ -139,7 +143,7 @@ function collectMultipartMeta(request, contentType, sensitiveFields, maxTextFiel
   let textVal = '';
 
   function flushPart() {
-    if (!fldName) return;
+    if (!fldName || fldName === '__proto__' || fldName === 'constructor' || fldName === 'prototype') return;
     if (isFile) {
       result.files.push({ field: fldName, filename: fName, contentType: pCT || 'unknown', size: bodyBytes });
     } else {
@@ -316,7 +320,7 @@ for (const n of (env('SECURENOW_DISABLE_INSTRUMENTATIONS') || '').split(',').map
 
 // -------- Body Capture Configuration --------
 const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' || String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true';
-const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB default
+const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
 const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
 const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
 
@@ -328,7 +332,7 @@ const captureMultipart = String(env('SECURENOW_CAPTURE_MULTIPART')) === '1' || S
 // This prevents end-users from spoofing their IP via custom headers.
 const os = require('os');
 const LOOPBACK_RE = /^(127\.|::1$|::ffff:127\.)/;
-const PRIVATE_IP_RE = /^(127\.|::1|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|fc|fd)/;
+const PRIVATE_IP_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
 const trustedProxyCsv = (env('SECURENOW_TRUSTED_PROXIES') || '').trim();
 const trustedProxySet = trustedProxyCsv ? new Set(trustedProxyCsv.split(',').map(s => s.trim()).filter(Boolean)) : null;
 
@@ -443,9 +447,9 @@ const httpInstrumentation = new HttpInstrumentation({
                   });
                 }
               } catch (e) {
-                // Parse error: capture as-is (truncated)
-                span.setAttribute('http.request.body', body.substring(0, 1000));
+                span.setAttribute('http.request.body', '[UNPARSEABLE - REDACTED FOR SAFETY]');
                 span.setAttribute('http.request.body.parse_error', true);
+                span.setAttribute('http.request.body.size', size);
               }
             } else if (size > maxBodySize) {
               span.setAttribute('http.request.body', `[TOO LARGE: ${size} bytes]`);

package/web-vite.mjs

@@ -55,10 +55,20 @@ const baseName = rawBase || null;
 const noUuid = String(env('SECURENOW_NO_UUID')) === '1' || String(env('SECURENOW_NO_UUID')).toLowerCase() === 'true';
 const strict = String(env('SECURENOW_STRICT')) === '1' || String(env('SECURENOW_STRICT')).toLowerCase() === 'true';
 
-// Simple UUID v4 (no crypto dependency needed)
 function uuidv4(): string {
-  const rnd = (n = 16) => Array.from({ length: n }, () => Math.floor(Math.random() * 16).toString(16)).join('');
-  return `${rnd(8)}-${rnd(4)}-4${rnd(3)}-${((8 + Math.random()*4)|0).toString(16)}${rnd(3)}-${rnd(12)}`;
+  if (typeof crypto !== 'undefined' && crypto.randomUUID) {
+    return crypto.randomUUID();
+  }
+  const bytes = new Uint8Array(16);
+  if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+    crypto.getRandomValues(bytes);
+  } else {
+    for (let i = 0; i < 16; i++) bytes[i] = Math.floor(Math.random() * 256);
+  }
+  bytes[6] = (bytes[6] & 0x0f) | 0x40;
+  bytes[8] = (bytes[8] & 0x3f) | 0x80;
+  const hex = Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
+  return `${hex.slice(0,8)}-${hex.slice(8,12)}-${hex.slice(12,16)}-${hex.slice(16,20)}-${hex.slice(20)}`;
 }
 
 let serviceName: string;
@@ -124,11 +134,11 @@ export function startSecurenowWeb() {
       new DocumentLoadInstrumentation(),
       new UserInteractionInstrumentation(),
       new FetchInstrumentation({
-        propagateTraceHeaderCorsUrls: [/.*/],
+        propagateTraceHeaderCorsUrls: [new RegExp(`^${location.origin.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}`)],
         ignoreUrls: [/\/vite\/hmr/, /^chrome-extension:\/\//, /sockjs/],
       }),
       new XMLHttpRequestInstrumentation({
-        propagateTraceHeaderCorsUrls: [/.*/],
+        propagateTraceHeaderCorsUrls: [new RegExp(`^${location.origin.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}`)],
       }),
     ],
   });