feat: Add security headers, CSRF protection, secrets management, and log levels config#170
Merged
AbelOsaretin merged 5 commits intoJun 30, 2026
Merged
Conversation
…eliobond#125) Add additional XSS protection headers to the security middleware: - Referrer-Policy set to strict-origin-when-cross-origin to control referrer information leakage across origins - Permissions-Policy restricts browser feature access (camera, microphone, geolocation, payment, USB, etc.) Closes Heliobond#125
Implement cross-site request forgery protection with: - Cryptographic token generation and validation - SameSite cookie configuration (strict in production, lax in dev) - Origin and referer header checking against allowed origins - Token support via X-CSRF-Token header or _csrf body field - Automatic token refresh and expiry (1 hour) - GET/HEAD/OPTIONS requests bypass CSRF validation Closes Heliobond#124
Implement secrets management with support for multiple providers: - Environment variables (default fallback) - AWS Secrets Manager with SDK integration - HashiCorp Vault with HTTP API - Azure Key Vault with OAuth2 authentication - In-memory caching with automatic expiry - Configurable secret rotation with interval support - Admin endpoint for secrets status monitoring Closes Heliobond#123
…obond#122) Improve logger configuration with: - Environment-based default levels (development=debug, staging=info, production=warn) - Runtime log level changes via setLogLevel() API - Admin endpoints for querying and updating log level - Environment field added to all log entries - Backward-compatible with existing LOG_LEVEL env var Closes Heliobond#122
Wire up the new security and infrastructure modules: - CSRF protection middleware applied to all routes - Permissions-Policy header middleware added to security stack - Secrets rotation started on server boot, stopped on shutdown - Admin endpoints for secrets status and log level management - .env.example updated with all new configuration options Refs Heliobond#122, Heliobond#123, Heliobond#124, Heliobond#125
|
@osasfaith Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #122, Closes #123, Closes #124, Closes #125
Type of Change
Summary
This PR addresses four security and infrastructure issues by adding XSS protection headers (Referrer-Policy, Permissions-Policy), CSRF protection middleware with token validation and SameSite cookies, secrets management integration supporting AWS, Vault, and Azure with environment fallback, and environment-based log level configuration with runtime changes.
Motivation / Context
The backend lacked several critical security headers and infrastructure features needed for production readiness. This PR enhances the security posture by completing the XSS protection header suite, adding CSRF protection against cross-site request forgery attacks, providing a unified secrets management layer that supports multiple providers with automatic rotation, and implementing flexible log level configuration that adapts to deployment environments.
Closes #122, Closes #123, Closes #124, Closes #125