xypriss 2.2.5 → 2.3.0

package/dist/index.d.ts

@@ -1631,32 +1631,446 @@ interface CacheStrategy {
  */
 type SecurityLevel = "basic" | "enhanced" | "maximum";
 /**
- * Main security configuration interface.
+ * CSRF Protection Configuration
  *
- * Comprehensive security configuration including authentication,
- * encryption, and various security features.
+ * Protects against Cross-Site Request Forgery attacks by requiring tokens.
+ * Can be enabled/disabled or configured with custom options.
  *
- * @interface SecurityConfig
+ * @example Enable with defaults:
+ * ```typescript
+ * csrf: true
+ * ```
+ *
+ * @example Disable:
+ * ```typescript
+ * csrf: false
+ * ```
+ *
+ * @example Custom configuration:
+ * ```typescript
+ * csrf: {
+ *   cookieName: '__Host-csrf-token',
+ *   cookieOptions: {
+ *     httpOnly: true,
+ *     sameSite: 'strict',
+ *     secure: process.env.NODE_ENV === 'production'
+ *   }
+ * }
+ * ```
+ */
+interface CSRFConfig {
+    /** CSRF token cookie name */
+    cookieName?: string;
+    /** CSRF token cookie options */
+    cookieOptions?: {
+        httpOnly?: boolean;
+        sameSite?: boolean | "lax" | "strict" | "none";
+        secure?: boolean;
+    };
+}
+/**
+ * Helmet Security Headers Configuration
+ *
+ * Sets various HTTP headers to help protect against common attacks.
+ * Can be enabled/disabled or configured with custom header options.
+ *
+ * @example Enable with defaults:
+ * ```typescript
+ * helmet: true
+ * ```
+ *
+ * @example Custom CSP:
+ * ```typescript
+ * helmet: {
+ *   contentSecurityPolicy: {
+ *     directives: {
+ *       defaultSrc: ["'self'"],
+ *       scriptSrc: ["'self'", "'unsafe-inline'"]
+ *     }
+ *   },
+ *   hsts: { maxAge: 31536000 }
+ * }
+ * ```
+ */
+interface HelmetConfig {
+    /** Content Security Policy configuration */
+    contentSecurityPolicy?: {
+        directives: {
+            defaultSrc?: string[];
+            scriptSrc?: string[];
+        };
+    };
+    /** HTTP Strict Transport Security configuration */
+    hsts?: {
+        maxAge: number;
+    };
+}
+/**
+ * XSS Protection Configuration
+ *
+ * Protects against Cross-Site Scripting attacks by sanitizing input.
+ * Can be enabled/disabled or configured with custom sanitization rules.
+ *
+ * @example Enable with defaults:
+ * ```typescript
+ * xss: true
+ * ```
+ *
+ * @example Custom configuration:
+ * ```typescript
+ * xss: {
+ *   blockOnDetection: true,
+ *   customPatterns: [/custom-pattern/g],
+ *   whitelist: { a: ['href', 'title'] }
+ * }
+ * ```
+ */
+interface XSSConfig {
+    /** Block requests on XSS detection */
+    blockOnDetection?: boolean;
+    /** Custom XSS patterns to detect */
+    customPatterns?: RegExp[];
+    /** Whitelist of allowed tags and attributes */
+    whitelist?: {
+        [tag: string]: string[];
+    };
+}
+/**
+ * SQL Injection Protection Configuration
+ *
+ * Detects and prevents SQL injection attacks in request data.
+ * Can be enabled/disabled or configured with custom detection rules.
+ *
+ * @example Enable with defaults:
+ * ```typescript
+ * sqlInjection: true
+ * ```
+ *
+ * @example Custom configuration:
+ * ```typescript
+ * sqlInjection: {
+ *   blockOnDetection: true,
+ *   riskThreshold: 'medium',
+ *   customPatterns: [/custom-sql-pattern/g]
+ * }
+ * ```
+ */
+interface SQLInjectionConfig {
+    /** Block requests on SQL injection detection */
+    blockOnDetection?: boolean;
+    /** Risk threshold for SQL injection detection */
+    riskThreshold?: "low" | "medium" | "high";
+    /** Custom SQL injection patterns to detect */
+    customPatterns?: RegExp[];
+    /** Enable contextual analysis to reduce false positives */
+    contextualAnalysis?: boolean;
+    /** Strict mode - more aggressive detection */
+    strictMode?: boolean;
+    /** Log detected attempts */
+    logAttempts?: boolean;
+    /** False positive threshold (0-1) */
+    falsePositiveThreshold?: number;
+}
+/**
+ * Path Traversal Protection Configuration
+ *
+ * Detects and prevents directory traversal attacks while allowing legitimate file paths.
+ *
+ * @example Enable with defaults:
+ * ```typescript
+ * pathTraversal: true
+ * ```
+ *
+ * @example Custom configuration:
+ * ```typescript
+ * pathTraversal: {
+ *   blockOnDetection: true,
+ *   allowedPaths: ['/uploads/', '/public/'],
+ *   allowedExtensions: ['.jpg', '.png', '.pdf'],
+ *   maxDepth: 3
+ * }
+ * ```
+ */
+interface PathTraversalConfig {
+    /** Block requests on path traversal detection */
+    blockOnDetection?: boolean;
+    /** Allowed base paths */
+    allowedPaths?: string[];
+    /** Allowed file extensions */
+    allowedExtensions?: string[];
+    /** Maximum allowed path depth */
+    maxDepth?: number;
+    /** Strict mode */
+    strictMode?: boolean;
+    /** Log detected attempts */
+    logAttempts?: boolean;
+    /** False positive threshold (0-1) */
+    falsePositiveThreshold?: number;
+}
+/**
+ * Command Injection Protection Configuration
+ *
+ * Detects and prevents OS command injection attacks with context awareness.
+ *
+ * @example Enable with defaults:
+ * ```typescript
+ * commandInjection: true
+ * ```
+ *
+ * @example Custom configuration:
+ * ```typescript
+ * commandInjection: {
+ *   blockOnDetection: true,
+ *   contextualAnalysis: true,
+ *   allowedCommands: ['git', 'npm']
+ * }
+ * ```
+ */
+interface CommandInjectionConfig {
+    /** Block requests on command injection detection */
+    blockOnDetection?: boolean;
+    /** Enable contextual analysis */
+    contextualAnalysis?: boolean;
+    /** Allowed commands (whitelist) */
+    allowedCommands?: string[];
+    /** Strict mode */
+    strictMode?: boolean;
+    /** Log detected attempts */
+    logAttempts?: boolean;
+    /** False positive threshold (0-1) */
+    falsePositiveThreshold?: number;
+}
+/**
+ * XXE (XML External Entity) Protection Configuration
+ *
+ * Prevents XXE attacks in XML parsing.
+ *
+ * @example Enable with defaults:
+ * ```typescript
+ * xxe: true
+ * ```
+ *
+ * @example Custom configuration:
+ * ```typescript
+ * xxe: {
+ *   blockOnDetection: true,
+ *   allowDTD: false,
+ *   allowExternalEntities: false
+ * }
+ * ```
+ */
+interface XXEConfig {
+    /** Block requests on XXE detection */
+    blockOnDetection?: boolean;
+    /** Allow DTD declarations */
+    allowDTD?: boolean;
+    /** Allow external entities */
+    allowExternalEntities?: boolean;
+    /** Maximum entity expansions */
+    maxEntityExpansions?: number;
+    /** Strict mode */
+    strictMode?: boolean;
+    /** Log detected attempts */
+    logAttempts?: boolean;
+}
+/**
+ * LDAP Injection Protection Configuration
+ *
+ * Detects and prevents LDAP injection attacks.
+ *
+ * @example Enable with defaults:
+ * ```typescript
+ * ldapInjection: true
+ * ```
+ *
+ * @example Custom configuration:
+ * ```typescript
+ * ldapInjection: {
+ *   blockOnDetection: true,
+ *   strictMode: true
+ * }
+ * ```
+ */
+interface LDAPInjectionConfig {
+    /** Block requests on LDAP injection detection */
+    blockOnDetection?: boolean;
+    /** Strict mode */
+    strictMode?: boolean;
+    /** Log detected attempts */
+    logAttempts?: boolean;
+    /** False positive threshold (0-1) */
+    falsePositiveThreshold?: number;
+}
+/**
+ * Compression Configuration
+ *
+ * Response compression to reduce bandwidth and improve performance.
+ * Can be enabled/disabled or configured with custom compression settings.
+ *
+ * @example Enable with defaults:
+ * ```typescript
+ * compression: true
+ * ```
+ *
+ * @example Custom compression:
+ * ```typescript
+ * compression: {
+ *   level: 6, // compression level (1-9)
+ *   threshold: 1024, // minimum response size to compress
+ *   filter: (req, res) => {
+ *     // custom filter logic
+ *     return /json|text|javascript|css/.test(res.get('Content-Type'));
+ *   }
+ * }
+ * ```
+ */
+interface CompressionConfig$1 {
+    /** Compression level (1-9) */
+    level?: number;
+    /** Minimum response size to compress (in bytes) */
+    threshold?: number;
+    /** Custom filter function for compression */
+    filter?: (req: any, res: any) => boolean;
+}
+/**
+ * HTTP Parameter Pollution Protection Configuration
+ *
+ * Prevents HTTP Parameter Pollution attacks by handling duplicate parameters.
+ * Can be enabled/disabled or configured with custom parameter handling.
+ *
+ * @example Enable with defaults:
+ * ```typescript
+ * hpp: true
+ * ```
+ *
+ * @example Custom configuration:
+ * ```typescript
+ * hpp: {
+ *   whitelist: ['tags', 'categories'], // allow arrays for these params
+ *   checkQuery: true,
+ *   checkBody: true
+ * }
+ * ```
+ */
+interface HPPConfig {
+    /** Whitelist of allowed parameters for arrays */
+    whitelist?: string[];
+    /** Check query parameters for duplicates */
+    checkQuery?: boolean;
+    /** Check body parameters for duplicates */
+    checkBody?: boolean;
+}
+/**
+ * MongoDB Injection Protection Configuration
+ *
+ * Sanitizes MongoDB queries to prevent NoSQL injection attacks.
+ * Can be enabled/disabled or configured with custom sanitization rules.
+ *
+ * @example Enable with defaults:
+ * ```typescript
+ * mongoSanitize: true
+ * ```
+ *
+ * @example Custom configuration:
+ * ```typescript
+ * mongoSanitize: {
+ *   replaceWith: '_',
+ *   onSanitize: ({ req, key }) => {
+ *     console.warn(`Sanitized MongoDB key: ${key} from ${req.ip}`);
+ *   }
+ * }
+ * ```
+ */
+interface MongoSanitizeConfig {
+    /** Replacement character for sanitized keys */
+    replaceWith?: string;
+    /** Custom callback function for sanitization */
+    onSanitize?: (options: {
+        req: any;
+        key: string;
+    }) => void;
+}
+/**
+ * Request Logging Configuration
+ *
+ * HTTP request logging using Morgan middleware.
+ * Can be enabled/disabled or configured with custom logging formats.
+ *
+ * @example Enable with defaults:
+ * ```typescript
+ * morgan: true
+ * ```
+ *
+ * @example Custom logging format:
+ * ```typescript
+ * morgan: {
+ *   format: 'combined',
+ *   skip: (req, res) => res.statusCode < 400,
+ *   stream: customStream
+ * }
+ * ```
+ */
+interface MorganConfig {
+    /** Logging format for Morgan */
+    format?: string;
+    /** Custom skip function for logging */
+    skip?: (req: any, res: any) => boolean;
+    /** Custom stream for logging output */
+    stream?: any;
+}
+/**
+ * Slow Down Configuration
+ *
+ * Progressive delays for rate limiting to prevent abuse.
+ * Can be enabled/disabled or configured with custom delay patterns.
+ *
+ * @example Enable with defaults:
+ * ```typescript
+ * slowDown: true
+ * ```
+ *
+ * @example Custom slow down:
+ * ```typescript
+ * slowDown: {
+ *   windowMs: 15 * 60 * 1000, // 15 minutes
+ *   delayAfter: 100, // delay after 100 requests
+ *   delayMs: (used, req) => {
+ *     const delayAfter = req.slowDown?.limit || 100;
+ *     return (used - delayAfter) * 500; // 500ms per request over limit
+ *   }
+ * }
+ * ```
+ */
+interface SlowDownConfig {
+    /** Time window for slow down (in milliseconds) */
+    windowMs?: number;
+    /** Number of requests before delay starts */
+    delayAfter?: number;
+    /** Custom delay function */
+    delayMs?: (used: number, req: any) => number;
+}
+/**
+ * Security Configuration Interface
+ *
+ * Defines comprehensive security settings for XyPriss applications.
+ * Each security feature can be enabled/disabled or configured with detailed options.
  *
  * @example
  * ```typescript
  * const securityConfig: SecurityConfig = {
  *   level: 'enhanced',
- *   csrf: true,
- *   helmet: true,
- *   xss: true,
- *   sqlInjection: true,
- *   bruteForce: true,
- *   encryption: {
- *     algorithm: 'aes-256-gcm',
- *     keySize: 256
- *   },
- *   authentication: {
- *     jwt: {
- *       secret: 'your-secret-key',
- *       expiresIn: '24h',
- *       algorithm: 'HS256'
+ *   helmet: {
+ *     contentSecurityPolicy: {
+ *       directives: { defaultSrc: ["'self'"] }
  *     }
+ *   },
+ *   cors: {
+ *     origin: 'https://myapp.com',
+ *     credentials: true
+ *   },
+ *   bruteForce: {
+ *     windowMs: 15 * 60 * 1000,
+ *     max: 100
  *   }
  * };
  * ```
@@ -1664,16 +2078,366 @@ type SecurityLevel = "basic" | "enhanced" | "maximum";
 interface SecurityConfig {
     /** Security level preset */
     level?: SecurityLevel;
-    /** Enable CSRF protection */
-    csrf?: boolean;
-    /** Enable Helmet.js security headers */
-    helmet?: boolean;
-    /** Enable XSS protection */
-    xss?: boolean;
-    /** Enable SQL injection protection */
-    sqlInjection?: boolean;
-    /** Enable brute force protection */
-    bruteForce?: boolean;
+    /**
+     * CSRF Protection Configuration
+     *
+     * Protects against Cross-Site Request Forgery attacks by requiring tokens.
+     * Can be enabled/disabled or configured with custom options.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * csrf: true
+     * ```
+     *
+     * @example Disable:
+     * ```typescript
+     * csrf: false
+     * ```
+     *
+     * @example Custom configuration:
+     * ```typescript
+     * csrf: {
+     *   cookieName: '__Host-csrf-token',
+     *   cookieOptions: {
+     *     httpOnly: true,
+     *     sameSite: 'strict',
+     *     secure: process.env.NODE_ENV === 'production'
+     *   }
+     * }
+     * ```
+     */
+    csrf?: boolean | CSRFConfig;
+    /**
+     * Helmet Security Headers Configuration
+     *
+     * Sets various HTTP headers to help protect against common attacks.
+     * Can be enabled/disabled or configured with custom header options.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * helmet: true
+     * ```
+     *
+     * @example Custom CSP:
+     * ```typescript
+     * helmet: {
+     *   contentSecurityPolicy: {
+     *     directives: {
+     *       defaultSrc: ["'self'"],
+     *       scriptSrc: ["'self'", "'unsafe-inline'"]
+     *     }
+     *   },
+     *   hsts: { maxAge: 31536000 }
+     * }
+     * ```
+     */
+    helmet?: boolean | HelmetConfig;
+    /**
+     * XSS Protection Configuration
+     *
+     * Protects against Cross-Site Scripting attacks by sanitizing input.
+     * Can be enabled/disabled or configured with custom sanitization rules.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * xss: true
+     * ```
+     *
+     * @example Custom configuration:
+     * ```typescript
+     * xss: {
+     *   blockOnDetection: true,
+     *   customPatterns: [/custom-pattern/g],
+     *   whitelist: { a: ['href', 'title'] }
+     * }
+     * ```
+     */
+    xss?: boolean | XSSConfig;
+    /**
+     * SQL Injection Protection Configuration
+     *
+     * Detects and prevents SQL injection attacks in request data.
+     * Can be enabled/disabled or configured with custom detection rules.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * sqlInjection: true
+     * ```
+     *
+     * @example Custom configuration:
+     * ```typescript
+     * sqlInjection: {
+     *   blockOnDetection: true,
+     *   riskThreshold: 'medium',
+     *   customPatterns: [/custom-sql-pattern/g]
+     * }
+     * ```
+     */
+    sqlInjection?: boolean | SQLInjectionConfig;
+    /**
+     * Path Traversal Protection Configuration
+     *
+     * Detects and prevents directory traversal attacks while allowing legitimate file paths.
+     * Can be enabled/disabled or configured with custom detection rules.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * pathTraversal: true
+     * ```
+     *
+     * @example Custom configuration:
+     * ```typescript
+     * pathTraversal: {
+     *   blockOnDetection: true,
+     *   allowedPaths: ['/uploads/', '/public/'],
+     *   allowedExtensions: ['.jpg', '.png', '.pdf'],
+     *   maxDepth: 3
+     * }
+     * ```
+     */
+    pathTraversal?: boolean | PathTraversalConfig;
+    /**
+     * Command Injection Protection Configuration
+     *
+     * Detects and prevents OS command injection attacks with context awareness.
+     * Can be enabled/disabled or configured with custom detection rules.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * commandInjection: true
+     * ```
+     *
+     * @example Custom configuration:
+     * ```typescript
+     * commandInjection: {
+     *   blockOnDetection: true,
+     *   contextualAnalysis: true,
+     *   allowedCommands: ['git', 'npm']
+     * }
+     * ```
+     */
+    commandInjection?: boolean | CommandInjectionConfig;
+    /**
+     * XXE (XML External Entity) Protection Configuration
+     *
+     * Prevents XXE attacks in XML parsing.
+     * Can be enabled/disabled or configured with custom detection rules.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * xxe: true
+     * ```
+     *
+     * @example Custom configuration:
+     * ```typescript
+     * xxe: {
+     *   blockOnDetection: true,
+     *   allowDTD: false,
+     *   allowExternalEntities: false
+     * }
+     * ```
+     */
+    xxe?: boolean | XXEConfig;
+    /**
+     * LDAP Injection Protection Configuration
+     *
+     * Detects and prevents LDAP injection attacks.
+     * Can be enabled/disabled or configured with custom detection rules.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * ldapInjection: true
+     * ```
+     *
+     * @example Custom configuration:
+     * ```typescript
+     * ldapInjection: {
+     *   blockOnDetection: true,
+     *   strictMode: true
+     * }
+     * ```
+     */
+    ldapInjection?: boolean | LDAPInjectionConfig;
+    /**
+     * Brute Force Protection Configuration
+     *
+     * Specialized protection against brute force attacks on authentication endpoints.
+     * More aggressive than general rate limiting, designed for login/password attempts.
+     * Can be enabled/disabled or configured with custom protection rules.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * bruteForce: true
+     * ```
+     *
+     * @example Custom brute force protection:
+     * ```typescript
+     * bruteForce: {
+     *   windowMs: 15 * 60 * 1000, // 15 minutes
+     *   max: 5, // only 5 attempts per window (stricter than rateLimit)
+     *   message: 'Too many login attempts, account temporarily locked.',
+     *   standardHeaders: true
+     * }
+     * ```
+     */
+    bruteForce?: boolean | RateLimitConfig$1;
+    /**
+     * Rate Limiting Configuration
+     *
+     * General rate limiting to prevent abuse and control request frequency.
+     * Can be enabled/disabled or configured with custom rate limiting rules.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * rateLimit: true
+     * ```
+     *
+     * @example Custom rate limiting:
+     * ```typescript
+     * rateLimit: {
+     *   windowMs: 15 * 60 * 1000, // 15 minutes
+     *   max: 100, // limit each IP to 100 requests per windowMs
+     *   message: 'Too many requests, please try again later.',
+     *   standardHeaders: true
+     * }
+     * ```
+     */
+    rateLimit?: boolean | RateLimitConfig$1;
+    /**
+     * CORS Configuration
+     *
+     * Cross-Origin Resource Sharing settings for API access control.
+     * Can be enabled/disabled or configured with custom CORS policies.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * cors: true
+     * ```
+     *
+     * @example Custom CORS policy:
+     * ```typescript
+     * cors: {
+     *   origin: ['https://myapp.com', 'https://admin.myapp.com'],
+     *   methods: ['GET', 'POST', 'PUT', 'DELETE'],
+     *   allowedHeaders: ['Content-Type', 'Authorization'],
+     *   credentials: true,
+     *   maxAge: 86400
+     * }
+     * ```
+     */
+    cors?: boolean | CORSConfig;
+    /**
+     * Compression Configuration
+     *
+     * Response compression to reduce bandwidth and improve performance.
+     * Can be enabled/disabled or configured with custom compression settings.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * compression: true
+     * ```
+     *
+     * @example Custom compression:
+     * ```typescript
+     * compression: {
+     *   level: 6, // compression level (1-9)
+     *   threshold: 1024, // minimum response size to compress
+     *   filter: (req, res) => {
+     *     // custom filter logic
+     *     return /json|text|javascript|css/.test(res.get('Content-Type'));
+     *   }
+     * }
+     * ```
+     */
+    compression?: boolean | CompressionConfig$1;
+    /**
+     * HTTP Parameter Pollution Protection Configuration
+     *
+     * Prevents HTTP Parameter Pollution attacks by handling duplicate parameters.
+     * Can be enabled/disabled or configured with custom parameter handling.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * hpp: true
+     * ```
+     *
+     * @example Custom configuration:
+     * ```typescript
+     * hpp: {
+     *   whitelist: ['tags', 'categories'], // allow arrays for these params
+     *   checkQuery: true,
+     *   checkBody: true
+     * }
+     * ```
+     */
+    hpp?: boolean | HPPConfig;
+    /**
+     * MongoDB Injection Protection Configuration
+     *
+     * Sanitizes MongoDB queries to prevent NoSQL injection attacks.
+     * Can be enabled/disabled or configured with custom sanitization rules.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * mongoSanitize: true
+     * ```
+     *
+     * @example Custom configuration:
+     * ```typescript
+     * mongoSanitize: {
+     *   replaceWith: '_',
+     *   onSanitize: ({ req, key }) => {
+     *     console.warn(`Sanitized MongoDB key: ${key} from ${req.ip}`);
+     *   }
+     * }
+     * ```
+     */
+    mongoSanitize?: boolean | MongoSanitizeConfig;
+    /**
+     * Request Logging Configuration
+     *
+     * HTTP request logging using Morgan middleware.
+     * Can be enabled/disabled or configured with custom logging formats.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * morgan: true
+     * ```
+     *
+     * @example Custom logging format:
+     * ```typescript
+     * morgan: {
+     *   format: 'combined',
+     *   skip: (req, res) => res.statusCode < 400,
+     *   stream: customStream
+     * }
+     * ```
+     */
+    morgan?: boolean | MorganConfig;
+    /**
+     * Slow Down Configuration
+     *
+     * Progressive delays for rate limiting to prevent abuse.
+     * Can be enabled/disabled or configured with custom delay patterns.
+     *
+     * @example Enable with defaults:
+     * ```typescript
+     * slowDown: true
+     * ```
+     *
+     * @example Custom slow down:
+     * ```typescript
+     * slowDown: {
+     *   windowMs: 15 * 60 * 1000, // 15 minutes
+     *   delayAfter: 100, // delay after 100 requests
+     *   delayMs: (used, req) => {
+     *     const delayAfter = req.slowDown?.limit || 100;
+     *     return (used - delayAfter) * 500; // 500ms per request over limit
+     *   }
+     * }
+     * ```
+     */
+    slowDown?: boolean | SlowDownConfig;
     /** Encryption configuration */
     encryption?: EncryptionConfig;
     /** Authentication configuration */
@@ -1830,6 +2594,79 @@ interface SessionCookieConfig {
     /** SameSite cookie attribute */
     sameSite?: boolean | "lax" | "strict" | "none";
 }
+/**
+ * CORS (Cross-Origin Resource Sharing) configuration interface.
+ *
+ * Configuration for CORS policies including allowed origins,
+ * methods, and headers.
+ *
+ * By default, all headers are allowed to be developer-friendly.
+ * You can restrict headers by specifying the allowedHeaders array.
+ *
+ * @interface CORSConfig
+ *
+ * @example
+ * ```typescript
+ * // Allow all headers (default - developer-friendly)
+ * const corsConfig: CORSConfig = {
+ *   origin: '*',
+ *   methods: ['GET', 'POST', 'PUT', 'DELETE'],
+ *   credentials: true
+ * };
+ *
+ * // Restrict specific headers (production)
+ * const restrictiveCorsConfig: CORSConfig = {
+ *   origin: ['https://example.com', 'https://app.example.com'],
+ *   methods: ['GET', 'POST', 'PUT', 'DELETE'],
+ *   allowedHeaders: ['Content-Type', 'Authorization'],
+ *   credentials: true
+ * };
+ * ```
+ */
+interface CORSConfig {
+    /** Allowed origins - can be string, array of strings, or boolean */
+    origin?: string | string[] | boolean;
+    /** Allowed HTTP methods */
+    methods?: string[];
+    /**
+     * Allowed headers - if not specified, all headers are allowed by default.
+     * Specify this array to restrict which headers are allowed.
+     */
+    allowedHeaders?: string[];
+    /** Allow credentials in CORS requests */
+    credentials?: boolean;
+}
+/**
+ * Rate limiting configuration interface.
+ *
+ * Configuration for rate limiting including time windows,
+ * request limits, and custom messages.
+ *
+ * @interface RateLimitConfig
+ *
+ * @example
+ * ```typescript
+ * const rateLimitConfig: RateLimitConfig = {
+ *   windowMs: 900000, // 15 minutes
+ *   max: 100, // 100 requests per window
+ *   message: 'Too many requests, please try again later',
+ *   standardHeaders: true,
+ *   legacyHeaders: false
+ * };
+ * ```
+ */
+interface RateLimitConfig$1 {
+    /** Time window in milliseconds */
+    windowMs?: number;
+    /** Maximum requests per window */
+    max?: number;
+    /** Message to send when limit is exceeded */
+    message?: string;
+    /** Include standard rate limit headers */
+    standardHeaders?: boolean;
+    /** Include legacy rate limit headers */
+    legacyHeaders?: boolean;
+}
 /**
  * Route-specific security configuration interface.
  *
@@ -3417,7 +4254,7 @@ declare class ConsoleInterceptor {
 
 /**
  * XyPriss Security Middleware
- * Comprehensive security middleware using proven external libraries
+ * Comprehensive security middleware using BuiltInMiddleware as single source of truth
  */
 
 /**
@@ -3426,25 +4263,44 @@ declare class ConsoleInterceptor {
  */
 declare class SecurityMiddleware implements Required<SecurityConfig> {
     level: SecurityLevel;
-    csrf: boolean;
-    helmet: boolean;
-    xss: boolean;
-    sqlInjection: boolean;
-    bruteForce: boolean;
+    csrf: boolean | CSRFConfig;
+    helmet: boolean | HelmetConfig;
+    xss: boolean | XSSConfig;
+    sqlInjection: boolean | SQLInjectionConfig;
+    pathTraversal: boolean | PathTraversalConfig;
+    commandInjection: boolean | CommandInjectionConfig;
+    xxe: boolean | XXEConfig;
+    ldapInjection: boolean | LDAPInjectionConfig;
+    bruteForce: boolean | RateLimitConfig$1;
+    rateLimit: boolean | RateLimitConfig$1;
+    cors: boolean | CORSConfig;
+    compression: boolean | CompressionConfig$1;
+    hpp: boolean | HPPConfig;
+    mongoSanitize: boolean | MongoSanitizeConfig;
+    morgan: boolean | MorganConfig;
+    slowDown: boolean | SlowDownConfig;
     encryption: Required<SecurityConfig>["encryption"];
     authentication: Required<SecurityConfig>["authentication"];
     private helmetMiddleware;
     private corsMiddleware;
     private rateLimitMiddleware;
+    private bruteForceMiddleware;
     private csrfMiddleware;
     private mongoSanitizeMiddleware;
     private hppMiddleware;
     private compressionMiddleware;
+    private morganMiddleware;
+    private slowDownMiddleware;
     private sqlInjectionDetector;
+    private pathTraversalDetector;
+    private commandInjectionDetector;
+    private xxeProtector;
+    private ldapInjectionDetector;
     private logger;
     constructor(config?: SecurityConfig, logger?: Logger);
     /**
-     * Initialize all security middleware instances using external libraries
+     * Initialize all security middleware instances using BuiltInMiddleware
+     * BuiltInMiddleware is the single source of truth for all middleware wrappers
      */
     private initializeMiddleware;
     /**
@@ -3464,10 +4320,6 @@ declare class SecurityMiddleware implements Required<SecurityConfig> {
      * Custom XSS protection middleware
      */
     private xssProtection;
-    /**
-     * Make request properties writable to avoid readonly property errors
-     */
-    private makeRequestPropertiesWritable;
     /**
      * Recursively sanitize object properties
      */
@@ -4111,6 +4963,10 @@ interface XyPrissMiddlewareAPI {
         priority?: MiddlewarePriority;
         routes?: string[];
     }): XyPrissMiddlewareAPI;
+    /**
+     * Initialize default middleware with security configuration
+     */
+    initializeWithConfig(securityConfig?: SecurityConfig): void;
     /**
      * Configure security middleware bundle
      */