# Story 6.5: Security Hardening

## Metadata
- **Story ID**: 6.5
- **Title**: Security Hardening
- **Epic**: 6 - Observability & Production Readiness
- **Status**: Pending
- **Priority**: High
- **Estimated Time**: 5-6 hours
- **Dependencies**: 1.5

## Goal
Add comprehensive security hardening including security headers, input validation, and request size limits.

## Description
This story implements security best practices including security headers, input validation, request size limits, and SQL injection protection.

## Deliverables

### 1. Security Headers Middleware
- `X-Content-Type-Options: nosniff`
- `X-Frame-Options: DENY`
- `X-XSS-Protection: 1; mode=block`
- `Strict-Transport-Security` (if HTTPS)
- `Content-Security-Policy`

### 2. Request Size Limits
- Max body size (10MB default)
- Max header size
- Configurable limits

### 3. Input Validation
- Use `github.com/go-playground/validator`
- Validate all request bodies
- Sanitize user inputs
- Validation error responses

### 4. SQL Injection Protection
- Use parameterized queries (Ent already does this)
- Add linter rule to prevent raw SQL
- Security scanning

## Acceptance Criteria
- [ ] Security headers are present
- [ ] Request size limits are enforced
- [ ] Input validation works
- [ ] SQL injection protection is in place
- [ ] Security headers are configurable

## Files to Create/Modify
- `internal/server/middleware.go` - Security headers middleware
- `internal/server/validation.go` - Input validation
- `config/default.yaml` - Add security config