🔒 feat(security): Implement comprehensive HTTP security headers - Issue #54

.env.example

@@ -14,6 +14,10 @@ MCP_TIMEOUT=180000
 LOG_LEVEL=info
 
 # CORS Configuration
+<<<<<<< HEAD
+# Specifies the allowed origin for CORS. Use '*' for all origins or a specific URL (e.g., https://example.com).
+=======
+>>>>>>> origin/main
 CORS_ALLOW_ORIGIN=*
 
 # Multiplexing SSE Transport Configuration
@@ -27,3 +31,18 @@ RATE_LIMIT_MAX_REQUESTS=100 # Maximum number of requests allowed per window per
 RATE_LIMIT_SSE_MAX=5 # Maximum number of SSE connections allowed per minute per IP
 RATE_LIMIT_MESSAGES_MAX=30 # Maximum number of messages allowed per minute per IP
 DEFAULT_USER_RATE_LIMIT=1000 # Default number of requests allowed per hour for a user
+
+# Security Headers Configuration
+# HSTS (HTTP Strict Transport Security) max-age in seconds. Default is 1 year (31536000).
+HSTS_MAX_AGE=31536000
+# Set to 'true' to only report Content Security Policy (CSP) violations without enforcing them.
+# In development, you might want to set this to 'true'.
+CSP_REPORT_ONLY=false
+# URL where CSP violation reports will be sent.
+CSP_REPORT_URI=https://your-domain.com/csp-report
+
+# Environment Configuration
+# Set to 'development' or 'production'.
+NODE_ENV=development
+# Set to 'true' to disable HSTS, useful for local development without HTTPS.
+DISABLE_HSTS=true

.github/dependabot.yml

@@ -0,0 +1,35 @@
+# .github/dependabot.yml
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "JesusMaster"
+    assignees:
+      - "JesusMaster"
+    labels:
+      - "dependencies"
+      - "security"
+    commit-message:
+      prefix: "chore"
+      prefix-development: "chore"
+      include: "scope"
+
+  # Security updates (daily check)
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 5
+    labels:
+      - "security"
+      - "critical"
+    commit-message:
+      prefix: "security"
+      include: "scope"

package.json

@@ -44,6 +44,8 @@
     "dompurify": "^3.2.6",
     "dotenv": "^16.5.0",
     "express": "^5.1.0",
+    "express-rate-limit": "^8.1.0",
+    "helmet": "^8.1.0",
     "http-terminator": "^3.2.0",
     "jsdom": "^26.1.0",
     "raw-body": "^3.0.0",
@@ -53,12 +55,12 @@
     "@types/cors": "^2.8.19",
     "@types/dompurify": "^3.0.5",
     "@types/express": "^5.0.1",
+    "@types/helmet": "^0.0.48",
     "@types/express-rate-limit": "^5.1.3",
     "@types/jest": "^30.0.0",
     "@types/jsdom": "^21.1.7",
     "@types/node": "^22.14.1",
     "eventsource": "^4.0.0",
-    "express-rate-limit": "^8.1.0",
     "jest": "^30.0.5",
     "node-fetch": "^3.3.2",
     "supertest": "^7.1.4",

src/server.ts

@@ -56,7 +56,6 @@ const messageLimiter = rateLimit({
 const createUserLimiter = () => rateLimit({
     windowMs: 60 * 60 * 1000, // 1 hora
     max: (req: Request) => {
-        // @ts-ignore
         return req.user?.rateLimits?.requestsPerHour ?? config.defaultUserRateLimit;
     },
     message: 'User rate limit exceeded'
@@ -87,8 +86,8 @@ const criticalOperationsLimiter = rateLimit({
 });
 
 const rateLimitMonitor = (req: Request, res: Response, next: NextFunction) => {
-    const remaining = req.rateLimit?.remaining || 0;
-    const total = req.rateLimit?.limit || 0;
+    const remaining = req.rateLimit?.remaining ?? 0;
+    const total = req.rateLimit?.limit ?? 0;
 
     if (remaining > 0 && remaining < total * 0.1) {
         logger.warn(`Rate limit warning for ${req.ip} on ${req.method} ${req.url}: ${remaining}/${total} remaining`);

src/types/express.d.ts

@@ -0,0 +1,15 @@
+declare namespace Express {
+  export interface Request {
+    rateLimit?: {
+      limit: number;
+      current: number;
+      remaining: number;
+      resetTime?: Date;
+    };
+    user?: {
+      rateLimits?: {
+        requestsPerHour?: number;
+      };
+    };
+  }
+}