feat(security): comprehensive security hardening and validation

[jjacque]

Summary

This PR significantly enhances the security posture of the application through comprehensive input validation, secure coding practices, container hardening, and improved test coverage.

Note: This PR is built on top of PR #140.

🔒 Security Enhancements

Input Validation & Sanitization

Token Validation

• Added regex-based validation for Vault tokens (hv.sb and legacy formats)
• Prevents injection attacks through malformed tokens
• Validates token format before Vault API calls

Message Validation

• Message length limits (1MB max)
• Non-empty message requirement
• Early validation before Vault operations

TTL Validation

• Duration parsing with bounds checking (1 minute to 7 days)
• Prevents invalid TTL values from reaching Vault

File Upload Security

• Size limits enforced (50MB max)
• Path traversal prevention (blocks .., /, \)
• Filename sanitization via Content-Disposition parsing
• MIME type validation

Middleware Improvements

Rate Limiting

• Fine-tuned rate limiter configuration
• Protection against DoS attacks (10 requests/second)

CORS Configuration

• Properly configured CORS middleware
• Restricts cross-origin access appropriately

Security Headers

• Enhanced Secure middleware with:
  • Content Security Policy (CSP)
  • X-Frame-Options
  • X-Content-Type-Options
  • Strict-Transport-Security (HSTS)

Timeout Configuration

• Request timeout: 30 seconds
• Read timeout: 10 seconds
• Write timeout: 10 seconds
• Idle timeout: 120 seconds
• Reduces Slowloris DoS attack surface

Container Security Hardening

Non-Root User

• Application runs as user supersecret (UID 1001, GID 1001)
• No privileged operations required

Minimal Attack Surface

• Alpine-based image with minimal packages
• Only essential tools installed: ca-certificates, tzdata, curl
• Removed package cache after installation

File Permissions

• Binary: 755 (executable)
• Static files: 644 (read-only)
• Proper ownership: supersecret:supersecret

OCI Image Labels

• Complete metadata for security scanning
• Version, build date, VCS revision tracking

Environment Variables

• Secure defaults for all configurations
• GODEBUG, GOGC, GOMAXPROCS tuning

Docker Compose Security

Security Options

• no-new-privileges:true - Prevents privilege escalation
• read_only:true - Read-only root filesystem
• tmpfs - Writable temporary directories where needed

Resource Limits

• Memory limits enforced
• CPU limits configured
• Prevents resource exhaustion attacks

Capability Dropping

• All capabilities dropped by default
• Minimal privilege principle

🏗️ Architecture Improvements

Graceful Shutdown

• Proper signal handling (SIGTERM, SIGINT)
• Graceful HTTP server shutdown with timeout
• Clean resource cleanup

Refactored Server Structure

• Separated middleware configuration
• Dedicated route setup functions
• Improved testability and maintainability

Error Handling

• Internal errors not exposed to clients
• Consistent error response format
• Proper HTTP status codes

🧪 Test Coverage

New Test Files

• internal/server_test.go: 217 new lines

  • Route tests
  • Middleware tests
  • Shutdown behavior

• internal/config_test.go: 26 new lines

  • Configuration loading tests

• internal/handlers_test.go: 248 new lines (expanded)

  • File upload validation tests
  • Input validation tests
  • Error condition handling

• internal/vault_test.go: Enhanced

  • Storage error scenarios

Coverage Improvements

• Comprehensive handler testing with real file uploads
• Edge case testing for all validation functions
• Error path coverage

📊 Code Changes

File	Before	After	Change
cmd/sup3rS3cretMes5age/main.go	23 lines	67 lines	+44 lines
internal/handlers.go	88 lines	193 lines	+105 lines
internal/server.go	94 lines	370 lines	+276 lines
internal/handlers_test.go	87 lines	335 lines	+248 lines
internal/server_test.go	0 lines	217 lines	+217 new
internal/config_test.go	0 lines	26 lines	+26 new
deploy/Dockerfile	36 lines	80 lines	+44 lines
deploy/docker-compose.yml	18 lines	73 lines	+55 lines

Total Impact: +992 additions, -108 deletions across 13 files

🎯 Key Improvements

Before → After

Input Validation

• ❌ No token format validation → ✅ Regex-based Vault token validation
• ❌ No message size limits → ✅ 1MB message limit with early validation
• ❌ No file path validation → ✅ Path traversal prevention
• ❌ No TTL bounds checking → ✅ Duration validation (1min - 7days)

Container Security

• ❌ Root user → ✅ Non-root user (UID 1001)
• ❌ Full filesystem access → ✅ Read-only filesystem with tmpfs
• ❌ All capabilities → ✅ Dropped capabilities
• ❌ No resource limits → ✅ Memory and CPU limits

Error Handling

• ❌ Internal errors exposed → ✅ Generic client errors
• ❌ Inconsistent responses → ✅ Standardized error format

Testing

• ❌ Limited test coverage → ✅ Comprehensive validation tests
• ❌ No server tests → ✅ Full server lifecycle tests
• ❌ No config tests → ✅ Configuration validation tests

🔍 Security Testing

All security enhancements have been tested:

• ✅ Token validation blocks malformed tokens
• ✅ File upload sanitization prevents path traversal
• ✅ Message size limits enforced
• ✅ TTL bounds respected
• ✅ Container runs as non-root successfully
• ✅ Read-only filesystem with working tmpfs
• ✅ Graceful shutdown on SIGTERM/SIGINT
• ✅ Rate limiting prevents abuse
• ✅ Timeouts prevent slowloris attacks

🚀 Deployment Impact

• Breaking Changes: None (backward compatible)
• Configuration: No new environment variables required
• Performance: Negligible overhead from validation (~µs per request)
• Security: Significant hardening against common attack vectors

✅ Checklist

• Input validation on all user-provided data
• Container hardening (non-root, read-only, capabilities dropped)
• Resource limits configured
• Graceful shutdown implemented
• Error handling improved
• Test coverage expanded significantly
• Security headers configured
• Rate limiting and timeouts properly tuned
• All tests passing
• Documentation updated