feat: add hashed token support, security headers, and HTTPS enforcement

- Migrate existing plaintext tokens to Argon2-hashed format
- Implement token hashing and verification utilities using Argon2
- Update `.env.example` with security-focused configurations
- Add `SecurityHeadersMiddleware` for enhanced HTTP security
- Introduce `HTTPSRedirectMiddleware` to ensure HTTPS enforcement
- Update paste service to support hashed tokens for edit and delete operations
- Opportunistically hash legacy tokens during edit operations
- Enhance Swagger and API endpoint security via content security policy (CSP)

Author: Pdzly

backend/.env.example

@@ -0,0 +1,46 @@
+# DevBin Backend Environment Configuration
+
+# Server Configuration
+APP_PORT=8000
+APP_HOST=0.0.0.0
+APP_WORKERS=1
+APP_RELOAD=false
+APP_DEBUG=false
+
+# Database Configuration
+APP_DATABASE_URL=postgresql+asyncpg://postgres:postgres@localhost:5432/devbin
+
+# Security - HTTPS
+# Set to true to redirect HTTP to HTTPS
+# Only enable if your deployment terminates SSL directly
+# Keep false if using reverse proxy (nginx, traefik, caddy, etc.)
+APP_ENFORCE_HTTPS=false
+
+# Security - CORS
+# For development (allows all origins):
+APP_CORS_DOMAINS=["*"]
+APP_ALLOW_CORS_WILDCARD=true
+
+# For production (specify exact domains):
+# APP_CORS_DOMAINS=["https://devbin.example.com","https://app.devbin.example.com"]
+# APP_ALLOW_CORS_WILDCARD=false
+
+# Trusted Hosts (for X-Forwarded-For header)
+APP_TRUSTED_HOSTS=["127.0.0.1"]
+
+# Paste Configuration
+APP_MAX_CONTENT_LENGTH=10000
+APP_BASE_FOLDER_PATH=./files
+APP_MIN_STORAGE_MB=1024
+APP_KEEP_DELETED_PASTES_TIME_HOURS=336
+
+# Caching
+APP_CACHE_SIZE_LIMIT=1000
+APP_CACHE_TTL=300
+
+# Privacy Settings
+APP_SAVE_USER_AGENT=false
+APP_SAVE_IP_ADDRESS=false
+
+# Optional: Rate limit bypass token for testing
+# APP_BYPASS_TOKEN=your_secret_bypass_token_here

backend/alembic/versions/20251219_203917_hash_existing_tokens.py

@@ -0,0 +1,88 @@
+"""Hash existing tokens
+
+Revision ID: 0ed6c1042110
+Revises: 08393764144d
+Create Date: 2025-12-19 20:39:17.000000
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+from argon2 import PasswordHasher
+
+# revision identifiers, used by Alembic.
+revision: str = "0ed6c1042110"
+down_revision: Union[str, Sequence[str], None] = "08393764144d"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+# Configure Argon2 with same parameters as token_utils.py
+ph = PasswordHasher(
+    time_cost=2,
+    memory_cost=19456,
+    parallelism=1,
+    hash_len=32,
+    salt_len=16,
+)
+
+
+def upgrade() -> None:
+    """Hash all existing plaintext tokens."""
+    # Get database connection
+    connection = op.get_bind()
+
+    # Fetch all pastes with tokens
+    result = connection.execute(
+        sa.text(
+            "SELECT id, edit_token, delete_token FROM pastes WHERE edit_token IS NOT NULL OR delete_token IS NOT NULL"
+        )
+    )
+
+    pastes = result.fetchall()
+
+    print(f"Hashing tokens for {len(pastes)} pastes...")
+
+    for paste in pastes:
+        paste_id, edit_token, delete_token = paste
+
+        # Hash tokens if they exist and are not already hashed
+        new_edit_token = None
+        new_delete_token = None
+
+        if edit_token and not edit_token.startswith("$argon2"):
+            new_edit_token = ph.hash(edit_token)
+
+        if delete_token and not delete_token.startswith("$argon2"):
+            new_delete_token = ph.hash(delete_token)
+
+        # Update if any token was hashed
+        if new_edit_token or new_delete_token:
+            update_stmt = "UPDATE pastes SET"
+            params = {"paste_id": paste_id}
+            updates = []
+
+            if new_edit_token:
+                updates.append("edit_token = :edit_token")
+                params["edit_token"] = new_edit_token
+
+            if new_delete_token:
+                updates.append("delete_token = :delete_token")
+                params["delete_token"] = new_delete_token
+
+            update_stmt += " " + ", ".join(updates) + " WHERE id = :paste_id"
+
+            connection.execute(sa.text(update_stmt), params)
+
+    print(f"Successfully hashed tokens for {len(pastes)} pastes")
+
+
+def downgrade() -> None:
+    """Cannot downgrade - hashed tokens cannot be reversed to plaintext."""
+    print("WARNING: Cannot downgrade token hashing migration.")
+    print("Hashed tokens cannot be converted back to plaintext.")
+    print("If you need to downgrade, you must:")
+    print("  1. Restore from a backup taken before this migration")
+    print("  2. Or, accept that existing tokens will be invalidated")
+    raise Exception("Irreversible migration - cannot downgrade token hashing")

backend/app/api/middlewares.py

@@ -59,3 +59,101 @@ async def dispatch(self, request: Request, call_next):
         # Continue with the request
         response = await call_next(request)
         return response
+
+
+class SecurityHeadersMiddleware(BaseHTTPMiddleware):
+    """
+    Adds security headers to all responses.
+
+    Headers added:
+    - Strict-Transport-Security (HSTS) - Only on HTTPS
+    - X-Content-Type-Options - Prevent MIME sniffing
+    - X-Frame-Options - Prevent clickjacking
+    - Content-Security-Policy - XSS protection (relaxed for /docs, /redoc)
+    - X-XSS-Protection - Legacy XSS protection
+    - Referrer-Policy - Control referrer information
+
+    Note: CSP is more permissive for Swagger/ReDoc endpoints to allow
+    UI functionality while remaining strict for API endpoints.
+    """
+
+    async def dispatch(self, request: Request, call_next):
+        response = await call_next(request)
+
+        # X-Content-Type-Options: Prevent MIME type sniffing
+        response.headers["X-Content-Type-Options"] = "nosniff"
+
+        # X-Frame-Options: Prevent clickjacking
+        response.headers["X-Frame-Options"] = "DENY"
+
+        # Content-Security-Policy: Different policies for docs vs API
+        # Check if request is for Swagger/ReDoc documentation
+        is_docs_endpoint = request.url.path in ["/docs", "/redoc", "/openapi.json"]
+
+        if is_docs_endpoint:
+            # Permissive CSP for Swagger UI (needs to load scripts/styles)
+            response.headers["Content-Security-Policy"] = (
+                "default-src 'self'; "
+                "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
+                "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
+                "img-src 'self' data: https://fastapi.tiangolo.com; "
+                "font-src 'self' data:; "
+                "frame-ancestors 'none'; "
+                "base-uri 'self'"
+            )
+        else:
+            # Strict CSP for API endpoints (no scripts/styles needed)
+            response.headers["Content-Security-Policy"] = (
+                "default-src 'none'; "
+                "frame-ancestors 'none'; "
+                "base-uri 'none'; "
+                "form-action 'none'"
+            )
+
+        # X-XSS-Protection: Legacy header for older browsers
+        # Modern browsers rely on CSP, but this doesn't hurt
+        response.headers["X-XSS-Protection"] = "1; mode=block"
+
+        # Referrer-Policy: Control referrer information leakage
+        response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+
+        # Strict-Transport-Security (HSTS): Only add on HTTPS
+        # Check if request came over HTTPS
+        # Note: In production behind proxy, check X-Forwarded-Proto header
+        is_https = (
+            request.url.scheme == "https"
+            or request.headers.get("X-Forwarded-Proto") == "https"
+        )
+
+        if is_https:
+            # HSTS: Force HTTPS for 1 year, include subdomains
+            response.headers["Strict-Transport-Security"] = (
+                "max-age=31536000; includeSubDomains"
+            )
+
+        return response
+
+
+class HTTPSRedirectMiddleware(BaseHTTPMiddleware):
+    """
+    Redirects all HTTP requests to HTTPS.
+
+    Only active when ENFORCE_HTTPS config is True.
+    Checks X-Forwarded-Proto header for proxy deployments.
+    """
+
+    async def dispatch(self, request: Request, call_next):
+        # Check if request is over HTTPS
+        is_https = (
+            request.url.scheme == "https"
+            or request.headers.get("X-Forwarded-Proto") == "https"
+        )
+
+        if not is_https:
+            # Redirect to HTTPS
+            from starlette.responses import RedirectResponse
+
+            https_url = request.url.replace(scheme="https")
+            return RedirectResponse(url=str(https_url), status_code=301)
+
+        return await call_next(request)

backend/app/config.py

@@ -31,6 +31,12 @@ class Config(BaseSettings):
 
     CORS_DOMAINS: list[str] = Field(default=["*"], validation_alias="APP_CORS_DOMAINS")
 
+    ALLOW_CORS_WILDCARD: bool = Field(
+        default=False,
+        validation_alias="APP_ALLOW_CORS_WILDCARD",
+        description="Allow wildcard (*) in CORS domains (disable in production)",
+    )
+
     SAVE_USER_AGENT: bool = Field(default=False, validation_alias="APP_SAVE_USER_AGENT")
     SAVE_IP_ADDRESS: bool = Field(default=False, validation_alias="APP_SAVE_IP_ADDRESS")
 
@@ -58,6 +64,12 @@ class Config(BaseSettings):
     RELOAD: bool = Field(default=False, validation_alias="APP_RELOAD")
     DEBUG: bool = Field(default=False, validation_alias="APP_DEBUG")
 
+    ENFORCE_HTTPS: bool = Field(
+        default=False,
+        validation_alias="APP_ENFORCE_HTTPS",
+        description="Enforce HTTPS by redirecting HTTP requests",
+    )
+
     model_config = {
         "env_file": ".env",
         "env_file_encoding": "utf-8",
@@ -93,6 +105,31 @@ def verify_trusted_hosts(cls, hosts: list[str]) -> list[str]:
         logging.info("Trusted hosts: %s", validated_hosts)
         return validated_hosts
 
+    @field_validator("CORS_DOMAINS", mode="after")
+    def validate_cors_domains(cls, domains: list[str], info) -> list[str]:
+        """Validate CORS domains and warn/error on wildcard."""
+        if "*" in domains:
+            allow_wildcard = info.data.get("ALLOW_CORS_WILDCARD", False)
+
+            if not allow_wildcard:
+                logging.error(
+                    "SECURITY WARNING: CORS wildcard (*) is NOT allowed. "
+                    "Set APP_ALLOW_CORS_WILDCARD=true to enable, "
+                    "or specify exact domains in APP_CORS_DOMAINS."
+                )
+                raise ValueError(
+                    "CORS wildcard (*) is disabled. "
+                    "Set APP_ALLOW_CORS_WILDCARD=true or use specific domains."
+                )
+            else:
+                logging.warning(
+                    "SECURITY WARNING: CORS wildcard (*) allows ANY origin. "
+                    "Use only in development, NEVER in production!"
+                )
+
+        logging.info("CORS domains: %s", domains)
+        return domains
+
 
 config = Config()