diff --git a/.env.example b/.env.example index bdcba67..90a5158 100644 --- a/.env.example +++ b/.env.example @@ -14,6 +14,10 @@ MCP_TIMEOUT=180000 LOG_LEVEL=info # CORS Configuration +<<<<<<< HEAD +# Specifies the allowed origin for CORS. Use '*' for all origins or a specific URL (e.g., https://example.com). +======= +>>>>>>> origin/main CORS_ALLOW_ORIGIN=* # Multiplexing SSE Transport Configuration @@ -27,3 +31,18 @@ RATE_LIMIT_MAX_REQUESTS=100 # Maximum number of requests allowed per window per RATE_LIMIT_SSE_MAX=5 # Maximum number of SSE connections allowed per minute per IP RATE_LIMIT_MESSAGES_MAX=30 # Maximum number of messages allowed per minute per IP DEFAULT_USER_RATE_LIMIT=1000 # Default number of requests allowed per hour for a user + +# Security Headers Configuration +# HSTS (HTTP Strict Transport Security) max-age in seconds. Default is 1 year (31536000). +HSTS_MAX_AGE=31536000 +# Set to 'true' to only report Content Security Policy (CSP) violations without enforcing them. +# In development, you might want to set this to 'true'. +CSP_REPORT_ONLY=false +# URL where CSP violation reports will be sent. +CSP_REPORT_URI=https://your-domain.com/csp-report + +# Environment Configuration +# Set to 'development' or 'production'. +NODE_ENV=development +# Set to 'true' to disable HSTS, useful for local development without HTTPS. +DISABLE_HSTS=true diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..00e610b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,35 @@ +# .github/dependabot.yml +version: 2 +updates: + # Enable version updates for npm + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "09:00" + open-pull-requests-limit: 10 + reviewers: + - "JesusMaster" + assignees: + - "JesusMaster" + labels: + - "dependencies" + - "security" + commit-message: + prefix: "chore" + prefix-development: "chore" + include: "scope" + + # Security updates (daily check) + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 5 + labels: + - "security" + - "critical" + commit-message: + prefix: "security" + include: "scope" diff --git a/package.json b/package.json index d53862a..434de6d 100644 --- a/package.json +++ b/package.json @@ -44,6 +44,8 @@ "dompurify": "^3.2.6", "dotenv": "^16.5.0", "express": "^5.1.0", + "express-rate-limit": "^8.1.0", + "helmet": "^8.1.0", "http-terminator": "^3.2.0", "jsdom": "^26.1.0", "raw-body": "^3.0.0", @@ -53,12 +55,12 @@ "@types/cors": "^2.8.19", "@types/dompurify": "^3.0.5", "@types/express": "^5.0.1", + "@types/helmet": "^0.0.48", "@types/express-rate-limit": "^5.1.3", "@types/jest": "^30.0.0", "@types/jsdom": "^21.1.7", "@types/node": "^22.14.1", "eventsource": "^4.0.0", - "express-rate-limit": "^8.1.0", "jest": "^30.0.5", "node-fetch": "^3.3.2", "supertest": "^7.1.4", diff --git a/src/server.ts b/src/server.ts index 64777ba..fe7439f 100644 --- a/src/server.ts +++ b/src/server.ts @@ -56,7 +56,6 @@ const messageLimiter = rateLimit({ const createUserLimiter = () => rateLimit({ windowMs: 60 * 60 * 1000, // 1 hora max: (req: Request) => { - // @ts-ignore return req.user?.rateLimits?.requestsPerHour ?? config.defaultUserRateLimit; }, message: 'User rate limit exceeded' @@ -87,8 +86,8 @@ const criticalOperationsLimiter = rateLimit({ }); const rateLimitMonitor = (req: Request, res: Response, next: NextFunction) => { - const remaining = req.rateLimit?.remaining || 0; - const total = req.rateLimit?.limit || 0; + const remaining = req.rateLimit?.remaining ?? 0; + const total = req.rateLimit?.limit ?? 0; if (remaining > 0 && remaining < total * 0.1) { logger.warn(`Rate limit warning for ${req.ip} on ${req.method} ${req.url}: ${remaining}/${total} remaining`); diff --git a/src/types/express.d.ts b/src/types/express.d.ts new file mode 100644 index 0000000..74d67cd --- /dev/null +++ b/src/types/express.d.ts @@ -0,0 +1,15 @@ +declare namespace Express { + export interface Request { + rateLimit?: { + limit: number; + current: number; + remaining: number; + resetTime?: Date; + }; + user?: { + rateLimits?: { + requestsPerHour?: number; + }; + }; + } +}