Skip to content

Commit 01ad301

Browse files
Copilothotlong
Copilot
and
hotlong
committed
feat: add OWASP security headers, integration tests, and performance baselines
- Add secureHeaders middleware to api/index.ts (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) - Add Auth → Permissions → Data → Audit E2E integration test suite (9 tests) - Add CRUD performance baseline test suite targeting P95 < 100ms (6 tests) - Add @objectos/permissions as dev dependency for cross-plugin integration tests Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>
1 parent 4614ad5 commit 01ad301

6 files changed

Lines changed: 694 additions & 0 deletions

File tree

api/index.ts

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
*/
1010
import { handle } from '@hono/node-server/vercel';
1111
import { cors } from 'hono/cors';
12+
import { secureHeaders } from 'hono/secure-headers';
1213

1314
/* ------------------------------------------------------------------ */
1415
/* Bootstrap (runs once per cold-start) */
@@ -38,6 +39,28 @@ async function bootstrapKernel(): Promise<void> {
3839
}),
3940
);
4041

42+
// OWASP-compliant security headers (A05:2021 – Security Misconfiguration)
43+
honoApp.use(
44+
'/api/v1/*',
45+
secureHeaders({
46+
contentSecurityPolicy: {
47+
defaultSrc: ["'self'"],
48+
scriptSrc: ["'self'"],
49+
styleSrc: ["'self'", "'unsafe-inline'"],
50+
imgSrc: ["'self'", 'data:', 'https:'],
51+
connectSrc: ["'self'"],
52+
fontSrc: ["'self'"],
53+
objectSrc: ["'none'"],
54+
frameAncestors: ["'none'"],
55+
},
56+
crossOriginEmbedderPolicy: false,
57+
crossOriginResourcePolicy: 'same-origin',
58+
referrerPolicy: 'strict-origin-when-cross-origin',
59+
xContentTypeOptions: 'nosniff',
60+
xFrameOptions: 'DENY',
61+
}),
62+
);
63+
4164
// Health-check (always available)
4265
honoApp.get('/api/v1/health', (c) =>
4366
c.json({

packages/audit/jest.config.cjs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ module.exports = {
44
extensionsToTreatAsEsm: ['.ts'],
55
moduleNameMapper: {
66
'^(\\.{1,2}/.*)\\.js$': '$1',
7+
'^@objectos/permissions$': '<rootDir>/../permissions/dist/index.cjs',
78
},
89
transform: {
910
'^.+\\.ts$': [

packages/audit/package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
"@objectstack/spec": "1.1.0"
1616
},
1717
"devDependencies": {
18+
"@objectos/permissions": "workspace:^",
1819
"@types/jest": "^30.0.0",
1920
"@types/node": "^25.2.0",
2021
"jest": "^30.2.0",

0 commit comments

Comments
 (0)