Merge pull request #27 from hexawulf/codex/perform-security-hardening-and-cleanup

Cleanup and hardening

Author: hexawulf

.gitignore

@@ -84,3 +84,4 @@ Thumbs.db
 replit.nixtarget/
 *.jar
 *.class
+attached_assets/

README.md

@@ -119,6 +119,10 @@ app.encryption.default-strength=4096
 app.encryption.max-expiry-days=3650
 ```
 
+Copy `src/main/resources/application-example.properties` to
+`src/main/resources/application.properties` and adjust values for
+your environment. **Do not** commit secrets to version control.
+
 ---
 
 ## 📖 Usage
@@ -188,6 +192,8 @@ keyjolt/
 - Configure proper firewall rules
 - Set up monitoring and alerting
 - Regular security updates
+- Restrict access to `/actuator` endpoints or disable them
+- Set `SPRING_PROFILES_ACTIVE=production` for production builds
 
 ### **Key Safety**
 - Private keys are generated server-side and immediately deleted

attached_assets/Pasted-1-User-Experience-Accessibility-Form-Validation-Feedback-When-users-enter-invalid-data-e-g--1750206002629_1750206002630.txt

@@ -71,12 +71,6 @@
             <version>7.6.0</version>
         </dependency>
 
-        <!-- Commons IO -->
-        <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <version>2.11.0</version>
-        </dependency>
 
         <!-- Test Dependencies -->
         <dependency>

attached_assets/Pasted-Replit-Prompt-for-KeyJolt-Web-App-Project-Name-KeyJolt-PGP-Key-Generator-Description-Build-a-Jav-1750206032550_1750206032550.txt

@@ -1,48 +1,108 @@
-@Bean
-public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-    http
-        // Add security headers
-        .headers(headers -> headers
-            .contentSecurityPolicy(csp -> csp
-                .policyDirectives("default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'"))
-            .referrerPolicy(referrer -> referrer
-                .policy(org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER))
-            .xssProtection(xss -> xss
-                .block(true))
-            .frameOptions(frame -> frame
-                .deny())
-        )
-
-        // Enable CORS with custom configuration
-        .cors(Customizer.withDefaults())
-
-        // Disable CSRF (Cross-Site Request Forgery) protection.
-        .csrf(csrf -> csrf.disable())
-
-        // Configure authorization rules for HTTP requests.
-        .authorizeHttpRequests(authorize -> authorize
-            .requestMatchers(
-                "/", "/generate", "/api/generate", "/index",
-                "/css/**", "/js/**", "/images/**",
-                "/favicon.ico", "/favicon-16x16.png", "/favicon-32x32.png",
-                "/apple-touch-icon.png", "/android-chrome-*.png",
-                "/site.webmanifest", "/robots.txt",
-                "/download/**"
-            ).permitAll()
-            .requestMatchers(
-                "/wp-admin/**", "/wordpress/**", "/wp-login.php"
-            ).denyAll()
-            .anyRequest().authenticated()
-        )
-
-        // Disable form-based login and HTTP Basic authentication
-        .formLogin(formLogin -> formLogin.disable())
-        .httpBasic(httpBasic -> httpBasic.disable())
-
-        // Configure session management to be stateless.
-        .sessionManagement(session -> session
-            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-        );
-
-    return http.build();
+package com.keyjolt.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import java.util.List;
+
+@Configuration // Indicates that this class contains Spring configuration
+@EnableWebSecurity // Enables Spring Security's web security support
+public class SecurityConfig {
+
+    // Bean for password encoding.
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    // Bean for configuring the security filter chain.
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http
+            // Enable CORS with custom configuration
+            .cors(Customizer.withDefaults())
+
+            // Disable CSRF (Cross-Site Request Forgery) protection.
+            .csrf(csrf -> csrf.disable())
+
+            // Configure authorization rules for HTTP requests.
+            .authorizeHttpRequests(authorize -> authorize
+                .requestMatchers(
+                    "/", "/generate", "/api/generate", "/index",
+                    "/css/**", "/js/**", "/images/**",
+                    "/favicon.ico", "/favicon-16x16.png", "/favicon-32x32.png",
+                    "/apple-touch-icon.png", "/android-chrome-*.png",
+                    "/site.webmanifest", "/robots.txt",
+                    "/download/**"
+                ).permitAll()
+                .requestMatchers(
+                    "/wp-admin/**", "/wordpress/**", "/wp-login.php"
+                ).denyAll()
+                .anyRequest().authenticated()
+            )
+
+            // Disable form-based login and HTTP Basic authentication
+            .formLogin(formLogin -> formLogin.disable())
+            .httpBasic(httpBasic -> httpBasic.disable())
+
+            // Configure session management to be stateless.
+            .sessionManagement(session -> session
+                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+            )
+
+            // Add hardened security headers
+            .headers(headers -> headers
+                .httpStrictTransportSecurity(hsts -> hsts
+                    .includeSubDomains(true)
+                    .maxAgeInSeconds(31536000))
+                .contentSecurityPolicy(csp -> csp
+                    .policyDirectives("default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'"))
+                .referrerPolicy(referrer -> referrer
+                    .policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER))
+                .xssProtection(Customizer.withDefaults())
+            );
+
+        return http.build();
+    }
+
+    // Bean for an in-memory UserDetailsService.
+    @Bean
+    public UserDetailsService userDetailsService() {
+        UserDetails adminUser = User.builder()
+            .username("admin")
+            .password(passwordEncoder().encode("admin123")) // Password must be encoded
+            .roles("ADMIN") // Roles are automatically prefixed with "ROLE_"
+            .build();
+
+        return new InMemoryUserDetailsManager(adminUser);
+    }
+
+    // Bean for CORS configuration
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration config = new CorsConfiguration();
+        config.setAllowedOrigins(List.of("https://keyjolt.dev", "https://keyjolt.piapps.dev"));
+        config.setAllowedMethods(List.of("GET", "POST"));
+        config.setAllowedHeaders(List.of("*"));
+        config.setAllowCredentials(true);
+
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", config);
+        return source;
+    }
 }

pom.xml

@@ -1,6 +1,5 @@
 package com.keyjolt.util;
 
-import org.apache.commons.io.IOUtils;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 import org.slf4j.Logger;