feat: enhance security configuration and SSE management with robust token validation and client tracking
- Refactored `.env.example` with comprehensive security and configuration parameters - Added new `security.config.ts` for centralized security configuration management - Improved middleware with enhanced authentication, request validation, and error handling - Updated SSE routes and manager with advanced client tracking, rate limiting, and connection management - Implemented more granular token validation with IP-based rate limiting and connection tracking - Added detailed error responses and improved logging for security-related events
This commit is contained in:
jango-blockchained
67
.env.example
67
.env.example
@@ -36,26 +36,50 @@ RATE_LIMIT_REGULAR=100
|
||||
# Requests per minute per IP for WebSocket connections
|
||||
RATE_LIMIT_WEBSOCKET=1000
|
||||
|
||||
# Security
|
||||
# JWT secret for token generation (change this in production!)
|
||||
JWT_SECRET=your_jwt_secret_key
|
||||
|
||||
# CORS configuration (comma-separated list of allowed origins)
|
||||
CORS_ORIGINS=http://localhost:3000,http://localhost:8123
|
||||
|
||||
# Test Configuration
|
||||
# Only needed if running tests
|
||||
TEST_HASS_HOST=http://localhost:8123
|
||||
TEST_HASS_TOKEN=test_token
|
||||
TEST_HASS_SOCKET_URL=ws://localhost:8123/api/websocket
|
||||
TEST_PORT=3001
|
||||
|
||||
# Security Configuration
|
||||
JWT_SECRET=your-secret-key
|
||||
# JWT Configuration
|
||||
JWT_SECRET=your_jwt_secret_key_min_32_chars
|
||||
JWT_EXPIRY=86400000
|
||||
JWT_MAX_AGE=2592000000
|
||||
JWT_ALGORITHM=HS256
|
||||
|
||||
# Rate Limiting
|
||||
RATE_LIMIT_WINDOW_MS=900000 # 15 minutes
|
||||
RATE_LIMIT_MAX=100
|
||||
RATE_LIMIT_WINDOW=900000
|
||||
RATE_LIMIT_MAX_REQUESTS=100
|
||||
|
||||
# Token Security
|
||||
TOKEN_MIN_LENGTH=32
|
||||
MAX_FAILED_ATTEMPTS=5
|
||||
LOCKOUT_DURATION=900000
|
||||
|
||||
# CORS Configuration
|
||||
CORS_ORIGINS=http://localhost:3000,http://localhost:8123
|
||||
CORS_METHODS=GET,POST,PUT,DELETE,OPTIONS
|
||||
CORS_ALLOWED_HEADERS=Content-Type,Authorization,X-Requested-With
|
||||
CORS_EXPOSED_HEADERS=
|
||||
CORS_CREDENTIALS=true
|
||||
CORS_MAX_AGE=86400
|
||||
|
||||
# Content Security Policy
|
||||
CSP_ENABLED=true
|
||||
CSP_REPORT_ONLY=false
|
||||
CSP_REPORT_URI=
|
||||
|
||||
# SSL/TLS Configuration
|
||||
REQUIRE_HTTPS=true
|
||||
HSTS_MAX_AGE=31536000
|
||||
HSTS_INCLUDE_SUBDOMAINS=true
|
||||
HSTS_PRELOAD=true
|
||||
|
||||
# Cookie Security
|
||||
COOKIE_SECRET=your_cookie_secret_key_min_32_chars
|
||||
COOKIE_SECURE=true
|
||||
COOKIE_HTTP_ONLY=true
|
||||
COOKIE_SAME_SITE=Strict
|
||||
|
||||
# Request Limits
|
||||
MAX_REQUEST_SIZE=1048576
|
||||
MAX_REQUEST_FIELDS=1000
|
||||
|
||||
# SSE Configuration
|
||||
SSE_MAX_CLIENTS=1000
|
||||
@@ -70,4 +94,11 @@ LOG_COMPRESS=true
|
||||
LOG_REQUESTS=true
|
||||
|
||||
# Version
|
||||
VERSION=0.1.0
|
||||
VERSION=0.1.0
|
||||
|
||||
# Test Configuration
|
||||
# Only needed if running tests
|
||||
TEST_HASS_HOST=http://localhost:8123
|
||||
TEST_HASS_TOKEN=test_token
|
||||
TEST_HASS_SOCKET_URL=ws://localhost:8123/api/websocket
|
||||
TEST_PORT=3001
|
||||
Reference in New Issue
Block a user