feat: reword phase to epic, update mkdocs

2025-11-05 09:28:33 +01:00
parent 65a428534c
commit ace9678f6c
64 changed files with 214 additions and 208 deletions
--- a/docs/content/stories/epic6/6.5-security-hardening.md
+++ b/docs/content/stories/epic6/6.5-security-hardening.md
@@ -0,0 +1,54 @@
+# Story 6.5: Security Hardening
+
+## Metadata
+- **Story ID**: 6.5
+- **Title**: Security Hardening
+- **Epic**: 6 - Observability & Production Readiness
+- **Status**: Pending
+- **Priority**: High
+- **Estimated Time**: 5-6 hours
+- **Dependencies**: 1.5
+
+## Goal
+Add comprehensive security hardening including security headers, input validation, and request size limits.
+
+## Description
+This story implements security best practices including security headers, input validation, request size limits, and SQL injection protection.
+
+## Deliverables
+
+### 1. Security Headers Middleware
+- `X-Content-Type-Options: nosniff`
+- `X-Frame-Options: DENY`
+- `X-XSS-Protection: 1; mode=block`
+- `Strict-Transport-Security` (if HTTPS)
+- `Content-Security-Policy`
+
+### 2. Request Size Limits
+- Max body size (10MB default)
+- Max header size
+- Configurable limits
+
+### 3. Input Validation
+- Use `github.com/go-playground/validator`
+- Validate all request bodies
+- Sanitize user inputs
+- Validation error responses
+
+### 4. SQL Injection Protection
+- Use parameterized queries (Ent already does this)
+- Add linter rule to prevent raw SQL
+- Security scanning
+
+## Acceptance Criteria
+- [ ] Security headers are present
+- [ ] Request size limits are enforced
+- [ ] Input validation works
+- [ ] SQL injection protection is in place
+- [ ] Security headers are configurable
+
+## Files to Create/Modify
+- `internal/server/middleware.go` - Security headers middleware
+- `internal/server/validation.go` - Input validation
+- `config/default.yaml` - Add security config
+