From 21710873c603bf9246182efae90e041e061af1fe Mon Sep 17 00:00:00 2001 From: JohnDoe6345789 Date: Fri, 26 Dec 2025 01:23:38 +0000 Subject: [PATCH] docs: hpp,dbal,cpp (4 files) --- .../entities/lua_script/create_lua_script.hpp | 1 - dbal/cpp/src/security/hmac_signer.hpp | 0 dbal/cpp/src/security/secure_headers.hpp | 44 +++++++++++++++++++ docs/permissions-levels.md | 1 + 4 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 dbal/cpp/src/security/hmac_signer.hpp create mode 100644 dbal/cpp/src/security/secure_headers.hpp diff --git a/dbal/cpp/src/entities/lua_script/create_lua_script.hpp b/dbal/cpp/src/entities/lua_script/create_lua_script.hpp index 8273692b2..0e6970aa7 100644 --- a/dbal/cpp/src/entities/lua_script/create_lua_script.hpp +++ b/dbal/cpp/src/entities/lua_script/create_lua_script.hpp @@ -30,7 +30,6 @@ inline Result create(InMemoryStore& store, const CreateLuaScriptInput if (input.created_by.empty()) { return Error::validationError("created_by is required"); } - for (const auto& entry : input.allowed_globals) { if (entry.empty()) { return Error::validationError("allowed_globals must contain non-empty strings"); diff --git a/dbal/cpp/src/security/hmac_signer.hpp b/dbal/cpp/src/security/hmac_signer.hpp new file mode 100644 index 000000000..e69de29bb diff --git a/dbal/cpp/src/security/secure_headers.hpp b/dbal/cpp/src/security/secure_headers.hpp new file mode 100644 index 000000000..2d3c32c91 --- /dev/null +++ b/dbal/cpp/src/security/secure_headers.hpp @@ -0,0 +1,44 @@ +#pragma once +/** + * @file secure_headers.hpp + * @brief Fort Knox security headers for HTTP responses + * @details Header-only implementation of security headers + */ + +#include +#include + +namespace dbal::security { + +/** + * Apply all security headers to an HTTP response + * @param headers Reference to response headers map + */ +inline void apply_security_headers(std::unordered_map& headers) { + // Prevent MIME type sniffing + headers["X-Content-Type-Options"] = "nosniff"; + + // Block clickjacking via iframes + headers["X-Frame-Options"] = "DENY"; + + // Disable caching for sensitive responses + headers["Cache-Control"] = "no-store, no-cache, must-revalidate, private"; + headers["Pragma"] = "no-cache"; + + // Force HTTPS (HSTS) + headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"; + + // Content Security Policy for API responses + headers["Content-Security-Policy"] = "default-src 'none'; frame-ancestors 'none'"; + + // Referrer policy + headers["Referrer-Policy"] = "no-referrer"; + + // Disable browser features + headers["Permissions-Policy"] = "geolocation=(), microphone=(), camera=(), payment=()"; + + // XSS protection (legacy browsers) + headers["X-XSS-Protection"] = "1; mode=block"; +} + +} // namespace dbal::security diff --git a/docs/permissions-levels.md b/docs/permissions-levels.md index ae57852ae..7b8c63d8f 100644 --- a/docs/permissions-levels.md +++ b/docs/permissions-levels.md @@ -20,6 +20,7 @@ Visit `/levels` to step through each tier. The page renders a grid of cards, hig - `GET /api/levels` echoes the permission catalog as JSON. - Add `?level=` to narrow the response to a single tier when wiring helpers or automation into the UI. +- Provide `?cap=` (comma-separated) to return only levels whose capability descriptions mention the given keywords. ## Tooling