Skip to content

feat: Add security headers, CSRF protection, secrets management, and log levels config#170

Merged
AbelOsaretin merged 5 commits into
Heliobond:mainfrom
osasfaith:feat/security-improvements
Jun 30, 2026
Merged

feat: Add security headers, CSRF protection, secrets management, and log levels config#170
AbelOsaretin merged 5 commits into
Heliobond:mainfrom
osasfaith:feat/security-improvements

Conversation

@osasfaith

Copy link
Copy Markdown
Contributor

Closes #122, Closes #123, Closes #124, Closes #125

Type of Change

  • New feature (non-breaking change that adds functionality)

Summary

This PR addresses four security and infrastructure issues by adding XSS protection headers (Referrer-Policy, Permissions-Policy), CSRF protection middleware with token validation and SameSite cookies, secrets management integration supporting AWS, Vault, and Azure with environment fallback, and environment-based log level configuration with runtime changes.

Motivation / Context

The backend lacked several critical security headers and infrastructure features needed for production readiness. This PR enhances the security posture by completing the XSS protection header suite, adding CSRF protection against cross-site request forgery attacks, providing a unified secrets management layer that supports multiple providers with automatic rotation, and implementing flexible log level configuration that adapts to deployment environments.

Closes #122, Closes #123, Closes #124, Closes #125

…eliobond#125)

Add additional XSS protection headers to the security middleware:
- Referrer-Policy set to strict-origin-when-cross-origin to control
  referrer information leakage across origins
- Permissions-Policy restricts browser feature access (camera,
  microphone, geolocation, payment, USB, etc.)

Closes Heliobond#125
Implement cross-site request forgery protection with:
- Cryptographic token generation and validation
- SameSite cookie configuration (strict in production, lax in dev)
- Origin and referer header checking against allowed origins
- Token support via X-CSRF-Token header or _csrf body field
- Automatic token refresh and expiry (1 hour)
- GET/HEAD/OPTIONS requests bypass CSRF validation

Closes Heliobond#124
Implement secrets management with support for multiple providers:
- Environment variables (default fallback)
- AWS Secrets Manager with SDK integration
- HashiCorp Vault with HTTP API
- Azure Key Vault with OAuth2 authentication
- In-memory caching with automatic expiry
- Configurable secret rotation with interval support
- Admin endpoint for secrets status monitoring

Closes Heliobond#123
…obond#122)

Improve logger configuration with:
- Environment-based default levels (development=debug, staging=info,
  production=warn)
- Runtime log level changes via setLogLevel() API
- Admin endpoints for querying and updating log level
- Environment field added to all log entries
- Backward-compatible with existing LOG_LEVEL env var

Closes Heliobond#122
Wire up the new security and infrastructure modules:
- CSRF protection middleware applied to all routes
- Permissions-Policy header middleware added to security stack
- Secrets rotation started on server boot, stopped on shutdown
- Admin endpoints for secrets status and log level management
- .env.example updated with all new configuration options

Refs Heliobond#122, Heliobond#123, Heliobond#124, Heliobond#125
@drips-wave

drips-wave Bot commented Jun 30, 2026

Copy link
Copy Markdown

@osasfaith Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@AbelOsaretin AbelOsaretin merged commit e6a03d1 into Heliobond:main Jun 30, 2026
0 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add XSS protection headers Add CSRF protection Add secrets management integration Add log levels configuration

2 participants