docs: hpp,dbal,cpp (4 files)

2026-04-24 13:54:57 +00:00 · 2025-12-26 01:23:38 +00:00
parent 7196e98db0
commit 21710873c6
4 changed files with 45 additions and 1 deletions
--- a/dbal/cpp/src/entities/lua_script/create_lua_script.hpp
+++ b/dbal/cpp/src/entities/lua_script/create_lua_script.hpp
@@ -30,7 +30,6 @@ inline Result<LuaScript> create(InMemoryStore& store, const CreateLuaScriptInput
    if (input.created_by.empty()) {
        return Error::validationError("created_by is required");
    }
-
    for (const auto& entry : input.allowed_globals) {
        if (entry.empty()) {
            return Error::validationError("allowed_globals must contain non-empty strings");
--- a/dbal/cpp/src/security/hmac_signer.hpp
+++ b/dbal/cpp/src/security/hmac_signer.hpp
--- a/dbal/cpp/src/security/secure_headers.hpp
+++ b/dbal/cpp/src/security/secure_headers.hpp
@@ -0,0 +1,44 @@
+#pragma once
+/**
+ * @file secure_headers.hpp
+ * @brief Fort Knox security headers for HTTP responses
+ * @details Header-only implementation of security headers
+ */
+
+#include <string>
+#include <unordered_map>
+
+namespace dbal::security {
+
+/**
+ * Apply all security headers to an HTTP response
+ * @param headers Reference to response headers map
+ */
+inline void apply_security_headers(std::unordered_map<std::string, std::string>& headers) {
+    // Prevent MIME type sniffing
+    headers["X-Content-Type-Options"] = "nosniff";
+    
+    // Block clickjacking via iframes
+    headers["X-Frame-Options"] = "DENY";
+    
+    // Disable caching for sensitive responses
+    headers["Cache-Control"] = "no-store, no-cache, must-revalidate, private";
+    headers["Pragma"] = "no-cache";
+    
+    // Force HTTPS (HSTS)
+    headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload";
+    
+    // Content Security Policy for API responses
+    headers["Content-Security-Policy"] = "default-src 'none'; frame-ancestors 'none'";
+    
+    // Referrer policy
+    headers["Referrer-Policy"] = "no-referrer";
+    
+    // Disable browser features
+    headers["Permissions-Policy"] = "geolocation=(), microphone=(), camera=(), payment=()";
+    
+    // XSS protection (legacy browsers)
+    headers["X-XSS-Protection"] = "1; mode=block";
+}
+
+} // namespace dbal::security
--- a/docs/permissions-levels.md
+++ b/docs/permissions-levels.md
@@ -20,6 +20,7 @@ Visit `/levels` to step through each tier. The page renders a grid of cards, hig

 - `GET /api/levels` echoes the permission catalog as JSON.
 - Add `?level=<key|id>` to narrow the response to a single tier when wiring helpers or automation into the UI.
+- Provide `?cap=<term>` (comma-separated) to return only levels whose capability descriptions mention the given keywords.

 ## Tooling