34 lines
2.2 KiB
Markdown
34 lines
2.2 KiB
Markdown
---
|
|
id: security-headers-rate-limit-sbom
|
|
prd: docs/work/prds/security-headers-rate-limit-sbom.prd.md
|
|
title: Security headers + rate-limit primitive + SBOM in CI — Epic C of ADR-025
|
|
type: epic
|
|
status: done
|
|
features:
|
|
[core-shared, core-testing, core-eslint, auth, web-next, web-tanstack, cms]
|
|
created: 2026-05-20T00:00:00Z
|
|
updated: 2026-05-20T11:49:44.873Z
|
|
---
|
|
|
|
## Goal
|
|
|
|
Ship three hardening primitives — framework-agnostic security header middleware, a manifest-declared rate-limit conformance channel, and per-release SBOM evidence — so downstream consumers get compliant default headers, lint-enforced rate-limit gates, and CycloneDX audit artifacts without inventing any of them.
|
|
|
|
## Why
|
|
|
|
Security scanners flag the absence of HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and CSP on every template app response. Auth endpoints (signIn, signUp) ship without rate-limit declarations, leaving credential-stuffing windows open until a consumer notices their auth logs. Consumers pursuing SOC 2 / ISO 27001 / FedRAMP must invent SBOM tooling and bolt it into their release flow. ADR-025 settled the strategy; this epic is the implementation.
|
|
|
|
## Stories
|
|
|
|
- [x] [01 — Rate-limit type primitives and manifest field](01-rate-limit-type-primitives/_story.md)
|
|
- [x] [02 — Rate-limit implementations: Noop, InMemory, Recording](02-rate-limit-implementations/_story.md)
|
|
- [x] [03 — `no-undeclared-rate-limit` ESLint rule](03-no-undeclared-rate-limit-eslint-rule/_story.md)
|
|
- [x] [04 — `withRateLimit` wrapper and conformance extensions](04-with-rate-limit-wrapper-and-conformance/_story.md)
|
|
- [x] [05 — auth.signIn rate-limit backfill](05-auth-signin-rate-limit-backfill/_story.md)
|
|
- [x] [06 — Security headers core module](06-security-headers-core-module/_story.md)
|
|
- [x] [07 — Per-framework security header adapters](07-security-header-adapters/_story.md)
|
|
- [x] [08 — App wiring: web-next](08-app-wiring-web-next/_story.md)
|
|
- [x] [09 — App wiring: web-tanstack and cms](09-app-wiring-web-tanstack-and-cms/_story.md)
|
|
- [x] [10 — SBOM CI workflow and ADR-023 amendment](10-sbom-ci-workflow/_story.md)
|
|
- [x] [11 — Documentation and conformance reference updates](11-documentation/_story.md)
|