060101-http-securitylisted

# Security Patterns ## Architecture Overview Security is applied at three layers: ``` 1. Edge/Proxy Layer ← Rate limiting, CSP, security headers, IP deny 2. Application Layer ← Auth rate limit, session validation, input sanitization 3. Infrastructure Layer ← Auto-protection, firewall, DDoS mitigation ``` ## Layer 1: Edge/Proxy ### Rate Limiting Applied before requests reach application code. - **Algorithm**: Fixed window (cheaper) or sliding window (stricter) - **Identifier**: Client IP (`x-forwarded-for` → `x-real-ip`) - **Tiers**: Different limits per route group (auth, api, public) ``` Request → match route tier → ratelimit.limit(ip) → pass or 429 ↓ (timeout → allow on failure) Application handler ``` ### Content Security Policy (CSP) Dynamic CSP built from environment variables: | Directive | Purpose | Configurable via | |-----------|---------|-----------------| | `script-src` | Allowed JS sources | CSP_SCRIPT_SRC_DOMAINS | | `style-src` | Allowed CSS sources | CSP_STYLE_SRC_DOMAINS | | `img-src` | Allowed image sources | CSP_IMG_SRC_DOMAINS | | `font-src` | Allowed font sources | CSP_FONT_SRC_DOMAINS | | `connect-src` | Allowed API/WS connections | CSP_CONNECT_SRC_DOMAINS | | `frame-src` | Allowed iframe sources | CSP_FRAME_SRC_DOMAINS | ### Security Headers | Header | Value | |--------|-------| | `X-Content-Type-Options` | `nosniff` | | `X-Frame-Options` | `SAMEORIGIN` | | `X-XSS-Protection` | `1; m