@chrono-os/security-hardening
v0.1.0
Published
Hardening defaults pra apps Fastify do ecossistema Chrono — Helmet + CSP estrito + CORS mobile-ready + rate-limit + cookies seguros + HMAC helpers com timingSafeEqual. Defense in depth + LGPD-compliant + mobile-ready (Capacitor/Ionic/Expo)
Maintainers
sugarhoneyiceteaReadme
@chrono-os/security-hardening
Defaults seguros pra apps Fastify do ecossistema Chrono. Defense in depth + LGPD-compliant + mobile-ready (Capacitor/Ionic/Expo).
Status
🆕 0.1.0 — 2026-05-26 — pré-publicação. Aguardando NPM_TOKEN no repo GitHub.
O que oferece
buildHelmetConfig(opts)— Helmet com HSTS preload + X-Frame DENY + nosniff + Referrer-Policy strict + Permissions-Policy restritivabuildCspConfig(opts)— Content-Security-Policy estrito (default-src 'self', sem unsafe-inline em scripts)buildCorsConfig(opts)— CORS mobile-ready (Capacitor/Ionic/Expo) + web origins + credentialsbuildRateLimitConfig(opts)— rate-limit 100/min anônimo, 200/min autenticado, com tier por endpointbuildSecureCookieAttrs(env)— cookie attrs seguros (__Host-+HttpOnly+Secureem prod +SameSite=Lax)hmacSign/Verify+hmacSignToken/VerifyToken— HMAC-SHA256 com comparação constant-time- Constantes:
MOBILE_CORS_ORIGINS,EXPO_DEV_ORIGINS,BODY_LIMITS,RATE_LIMITS
Install
yarn add @chrono-os/security-hardening @fastify/helmet @fastify/cors @fastify/rate-limitUso
import Fastify from 'fastify'
import fastifyHelmet from '@fastify/helmet'
import fastifyCors from '@fastify/cors'
import fastifyRateLimit from '@fastify/rate-limit'
import {
buildHelmetConfig,
buildCspConfig,
buildCorsConfig,
buildRateLimitConfig,
SENSITIVE_RATE_LIMIT,
} from '@chrono-os/security-hardening/fastify'
const env = process.env.NODE_ENV as 'production' | 'development'
const app = Fastify({
logger: true,
bodyLimit: 10 * 1024 * 1024, // 10MB
})
await app.register(fastifyHelmet, {
...buildHelmetConfig({ env }),
contentSecurityPolicy: buildCspConfig({
env,
apiUrl: 'https://api.meusite.com.br',
additionalConnectSrc: ['https://api.mercadopago.com'],
additionalFormAction: ['https://www.mercadopago.com'],
}),
})
await app.register(fastifyCors, buildCorsConfig({
env,
webOrigins: ['https://meusite.com.br'],
enableMobile: true, // Capacitor/Ionic schemes
}))
await app.register(fastifyRateLimit, buildRateLimitConfig({}))
// Override por endpoint sensível
app.post('/auth/sign-in', {
config: { rateLimit: SENSITIVE_RATE_LIMIT },
}, async (req, reply) => { /* ... */ })Bootstrap mode
Sem @fastify/helmet/cors/rate-limit instalados (peer deps optional), o pacote ainda exporta helpers genéricos (HMAC, cookies, constants). Os build*Config retornam objetos que você passa direto pros plugins quando instalá-los.
API
Genérico (@chrono-os/security-hardening)
hmacSign(payload, secret)→ string hexhmacVerify(payload, signature, secret)→ boolean (constant-time)hmacSignToken(payload, secret)→ token compacto<payload>.<sig>base64urlhmacVerifyToken(token, secret)→{ ok: true, payload } | { ok: false, reason }buildSecureCookieAttrs({ env, sameSite?, maxAge? })prefixCookieName(name, env)→__Host-${name}em prodMOBILE_CORS_ORIGINS,EXPO_DEV_ORIGINS,BODY_LIMITS,RATE_LIMITS
Fastify (@chrono-os/security-hardening/fastify)
buildHelmetConfig({ env, frameAncestors?, permissionsPolicy? })buildPermissionsPolicyHeader(opts?)buildCspConfig({ env, apiUrl?, additionalConnectSrc?, nonces?, additionalScriptSrc?, additionalFormAction?, additionalImgSrc? })buildCorsConfig({ env, webOrigins, enableMobile?, additionalOrigins?, credentials?, exposedHeaders? })buildRateLimitConfig({ max?, timeWindow?, keyGenerator?, skipOnError?, redis? })SENSITIVE_RATE_LIMIT,FORM_SUBMIT_RATE_LIMIT,AUTHENTICATED_RATE_LIMIT
Mobile-ready
CORS aceita schemes de apps mobile: capacitor://localhost, ionic://localhost, http://localhost (Capacitor Android), expo://* (Expo).
Rate-limit por bearer token (não só IP) — apps mobile compartilham IP entre usuários (NAT carrier).
LGPD
- Cookies seguros (
__Host-+HttpOnly+Secureem prod) protegem session token de XSS - CSP estrito reduz ataque XSS que poderia roubar dados pessoais
- Pacote complementar:
@chrono-os/observability(Pino redaction) - Pacote complementar:
@chrono-os/admin-audit(audit log de mutações)
Versionamento
SemVer. Releases via tag v* em SugarHoneyIceTea/security-hardening. Ver CHANGELOG.md.
Security
Política em SECURITY.md. Reportar vulnerabilidades por e-mail.