# Security Guidelines

## Security Features Implemented

### 🛡️ **Application Security**
- **Helmet.js**: Security headers (CSP, XSS protection, etc.)
- **Rate Limiting**: API endpoints protected against abuse
- **Input Validation**: Express-validator for all user inputs
- **File Validation**: STL format validation and content checks
- **Filename Sanitization**: Prevents path traversal attacks
- **Error Handling**: No sensitive information in error messages

### 🔐 **Container Security**
- **Non-root User**: Application runs as `stlapp:1001`
- **Minimal Base Image**: Alpine Linux for reduced attack surface
- **Dependency Scanning**: Production-only dependencies
- **Volume Permissions**: Proper file system permissions

### 📊 **Monitoring & Logging**
- **Winston Logging**: Structured logging with rotation
- **Health Checks**: Container health monitoring
- **Audit Trail**: File upload/delete operations logged

## Security Configuration

### Environment Variables
```bash
# Rate limiting
RATE_LIMIT_WINDOW_MS=900000    # 15 minutes
RATE_LIMIT_MAX_REQUESTS=100    # Max requests per window

# File upload security
MAX_FILE_SIZE=104857600        # 100MB max file size
MAX_FILES_PER_REQUEST=5        # Max files per upload
ALLOWED_EXTENSIONS=.stl,.STL   # Allowed file extensions

# Logging
LOG_LEVEL=info                 # Log level
```

### Recommended Production Settings
```bash
NODE_ENV=production
SESSION_SECRET=your-strong-secret-key-here
LOG_LEVEL=warn
RATE_LIMIT_MAX_REQUESTS=50
```

## Security Best Practices

### 🌐 **Network Security**
- Use reverse proxy (nginx/traefik) in production
- Enable HTTPS with valid certificates
- Configure firewall rules
- Use VPN or private networks when possible

### 📁 **File Storage Security**
- Regularly scan uploaded files for malware
- Implement file retention policies
- Monitor storage usage and quotas
- Backup data with encryption

### 🔄 **Container Security**
- Regularly update base images
- Scan images for vulnerabilities
- Use secrets management for sensitive data
- Enable container runtime security

### 📈 **Monitoring**
- Monitor failed authentication attempts
- Track unusual upload patterns
- Set up alerts for security events
- Regular security audits

## Vulnerability Reporting

If you discover a security vulnerability, please:
1. **Do not** create a public issue
2. Email security details privately
3. Include steps to reproduce
4. Allow time for patching before disclosure

## Security Checklist

### Pre-deployment
- [ ] Change default passwords/secrets
- [ ] Configure rate limiting
- [ ] Set up HTTPS
- [ ] Configure logging
- [ ] Test file upload validation
- [ ] Verify container permissions

### Post-deployment
- [ ] Monitor logs for anomalies
- [ ] Set up security alerts
- [ ] Regular vulnerability scans
- [ ] Update dependencies regularly
- [ ] Backup verification
- [ ] Security audit schedule