55 lines
1.5 KiB
Markdown
55 lines
1.5 KiB
Markdown
# Story 6.5: Security Hardening
|
|
|
|
## Metadata
|
|
- **Story ID**: 6.5
|
|
- **Title**: Security Hardening
|
|
- **Epic**: 6 - Observability & Production Readiness
|
|
- **Status**: Pending
|
|
- **Priority**: High
|
|
- **Estimated Time**: 5-6 hours
|
|
- **Dependencies**: 1.5
|
|
|
|
## Goal
|
|
Add comprehensive security hardening including security headers, input validation, and request size limits.
|
|
|
|
## Description
|
|
This story implements security best practices including security headers, input validation, request size limits, and SQL injection protection.
|
|
|
|
## Deliverables
|
|
|
|
### 1. Security Headers Middleware
|
|
- `X-Content-Type-Options: nosniff`
|
|
- `X-Frame-Options: DENY`
|
|
- `X-XSS-Protection: 1; mode=block`
|
|
- `Strict-Transport-Security` (if HTTPS)
|
|
- `Content-Security-Policy`
|
|
|
|
### 2. Request Size Limits
|
|
- Max body size (10MB default)
|
|
- Max header size
|
|
- Configurable limits
|
|
|
|
### 3. Input Validation
|
|
- Use `github.com/go-playground/validator`
|
|
- Validate all request bodies
|
|
- Sanitize user inputs
|
|
- Validation error responses
|
|
|
|
### 4. SQL Injection Protection
|
|
- Use parameterized queries (Ent already does this)
|
|
- Add linter rule to prevent raw SQL
|
|
- Security scanning
|
|
|
|
## Acceptance Criteria
|
|
- [ ] Security headers are present
|
|
- [ ] Request size limits are enforced
|
|
- [ ] Input validation works
|
|
- [ ] SQL injection protection is in place
|
|
- [ ] Security headers are configurable
|
|
|
|
## Files to Create/Modify
|
|
- `internal/server/middleware.go` - Security headers middleware
|
|
- `internal/server/validation.go` - Input validation
|
|
- `config/default.yaml` - Add security config
|
|
|