security security-config.ts

100% Statements 109/109
100% Branches 0/0
100% Functions 0/0
100% Lines 109/109
Press n or j to go to the next uncovered block, b, p or k for the previous block.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110 1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
1x
  /**
 * Security Configuration
 *
 * Centralized security settings for the application.
 * This ensures consistent security parameters across all modules.
 */
 
/**
 * Password hashing configuration
 */
export const PASSWORD_CONFIG = {
  /**
   * Bcrypt cost factor (salt rounds)
   * Higher values = more secure but slower
   * Recommended: 12 for production (OWASP recommendation)
   * Note: Each increment doubles the computation time
   */
  BCRYPT_ROUNDS: 12,
 
  /**
   * Minimum password length
   */
  MIN_LENGTH: 8,
 
  /**
   * Maximum password length (to prevent DoS via long passwords)
   */
  MAX_LENGTH: 128,
 
  /**
   * Password complexity requirements
   */
  REQUIRE_UPPERCASE: true,
  REQUIRE_LOWERCASE: true,
  REQUIRE_NUMBER: true,
  REQUIRE_SPECIAL: false, // Optional - can be enabled for higher security
} as const;
 
/**
 * Session configuration
 */
export const SESSION_CONFIG = {
  /**
   * Session timeout in seconds (default: 24 hours)
   */
  MAX_AGE: 24 * 60 * 60,
 
  /**
   * Update age - how often to update the session in seconds (default: 1 hour)
   * This helps with session rotation
   */
  UPDATE_AGE: 60 * 60,
 
  /**
   * Whether to use secure cookies (should be true in production)
   */
  SECURE_COOKIES: process.env.NODE_ENV === "production"} as const;
 
/**
 * Token configuration
 */
export const TOKEN_CONFIG = {
  /**
   * Password reset token expiry in milliseconds (1 hour)
   */
  PASSWORD_RESET_EXPIRY_MS: 60 * 60 * 1000,
 
  /**
   * Email verification token expiry in milliseconds (24 hours)
   */
  EMAIL_VERIFICATION_EXPIRY_MS: 24 * 60 * 60 * 1000,
 
  /**
   * CSRF token expiry in milliseconds (1 hour)
   */
  CSRF_TOKEN_EXPIRY_MS: 60 * 60 * 1000,
 
  /**
   * Token byte length (32 bytes = 256 bits of entropy)
   */
  TOKEN_BYTES: 32} as const;
 
/**
 * Security headers configuration
 */
export const HEADERS_CONFIG = {
  /**
   * Content Security Policy settings
   */
  CSP: {
    DEFAULT_SRC: ["'self'"],
    SCRIPT_SRC: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
    STYLE_SRC: ["'self'", "'unsafe-inline'"],
    IMG_SRC: ["'self'", "data:", "blob:", "https:"],
    CONNECT_SRC: ["'self'", "https://api.stripe.com"],
    FRAME_SRC: ["'self'", "https://js.stripe.com"]},
 
  /**
   * HSTS max age in seconds (1 year)
   */
  HSTS_MAX_AGE: 31536000} as const;
 
const securityConfig = {
  PASSWORD_CONFIG,
  SESSION_CONFIG,
  TOKEN_CONFIG,
  HEADERS_CONFIG};
 
export default securityConfig;