security: add real security headers middleware

mmcintosh · mmcintosh · commit e1a585d600cc · 2026-02-20T13:28:25.000-05:00
- Create security-headers.ts middleware replacing pass-through stub
- Set X-Content-Type-Options: nosniff (prevents MIME sniffing)
- Set X-Frame-Options: SAMEORIGIN (blocks external framing)
- Set Referrer-Policy: strict-origin-when-cross-origin
- Set Permissions-Policy: camera=(), microphone=(), geolocation=()
- Set HSTS (1 year) in non-development environments
- Apply middleware in app.ts security slot
- Replace stub export in middleware/index.ts

Fixes VULN-005
diff --git a/packages/core/src/app.ts b/packages/core/src/app.ts
@@ -31,6 +31,7 @@ import {
 import { getCoreVersion } from './utils/version'
 import { bootstrapMiddleware } from './middleware/bootstrap'
 import { metricsMiddleware } from './middleware/metrics'
+import { securityHeadersMiddleware } from './middleware/security-headers'
 import { createDatabaseToolsAdminRoutes } from './plugins/core-plugins/database-tools-plugin/admin-routes'
 import { createSeedDataAdminRoutes } from './plugins/core-plugins/seed-data-plugin/admin-routes'
 import { emailPlugin } from './plugins/core-plugins/email-plugin'
@@ -171,10 +172,7 @@ export function createSonicJSApp(config: SonicJSConfig = {}): SonicJSApp {
   })
 
   // Security middleware
-  app.use('*', async (_c, next) => {
-    // Security headers, CORS, etc.
-    await next()
-  })
+  app.use('*', securityHeadersMiddleware())
 
   // Custom middleware - after auth
   if (config.middleware?.afterAuth) {
diff --git a/packages/core/src/middleware/index.ts b/packages/core/src/middleware/index.ts
@@ -37,7 +37,7 @@ export const securityLoggingMiddleware: any = () => async (_c: any, next: any) =
 export const performanceLoggingMiddleware: any = () => async (_c: any, next: any) => await next()
 export const cacheHeaders: any = () => async (_c: any, next: any) => await next()
 export const compressionMiddleware: any = async (_c: any, next: any) => await next()
-export const securityHeaders: any = () => async (_c: any, next: any) => await next()
+export { securityHeadersMiddleware as securityHeaders } from './security-headers'
 
 // Other stubs
 export const PermissionManager: any = {}
diff --git a/packages/core/src/middleware/security-headers.ts b/packages/core/src/middleware/security-headers.ts
@@ -0,0 +1,23 @@
+import { Context, Next } from 'hono'
+
+/**
+ * Security headers middleware.
+ * Sets standard security headers on every response.
+ * Skips HSTS in development to avoid local dev issues.
+ */
+export const securityHeadersMiddleware = () => {
+  return async (c: Context, next: Next) => {
+    await next()
+
+    c.header('X-Content-Type-Options', 'nosniff')
+    c.header('X-Frame-Options', 'SAMEORIGIN')
+    c.header('Referrer-Policy', 'strict-origin-when-cross-origin')
+    c.header('Permissions-Policy', 'camera=(), microphone=(), geolocation=()')
+
+    // Only set HSTS in non-development environments
+    const environment = (c.env as any)?.ENVIRONMENT
+    if (environment !== 'development') {
+      c.header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
+    }
+  }
+}
