# API Security Rules
# ==================

api_security_rules:
  - id: SEC-031
    name: CORS origin validation
    severity: error
    description: >
      CORS must not allow all origins in production.
      Specify allowed origins explicitly.

  - id: SEC-032
    name: Rate limiting on sensitive endpoints
    severity: warning
    description: >
      Auth, password reset, and payment endpoints need rate limiting.

  - id: SEC-033
    name: Security headers
    severity: warning
    description: >
      Configure security headers like X-Content-Type-Options,
      X-Frame-Options, Content-Security-Policy.

  - id: SEC-034
    name: HTTPS enforcement
    severity: error
    description: >
      External URLs must use HTTPS.
      HTTP is only acceptable for localhost.

  - id: SEC-035
    name: Request size limits
    severity: warning
    description: >
      Limit request body size to prevent DoS attacks.

  - id: SEC-036
    name: Input validation with Pydantic
    severity: warning
    description: >
      All API inputs should be validated using Pydantic models.

  - id: SEC-037
    name: API versioning
    severity: info
    description: >
      APIs should be versioned for security update isolation.

  - id: SEC-038
    name: Method restrictions
    severity: warning
    description: >
      Endpoints should only allow necessary HTTP methods.

  - id: SEC-039
    name: Authentication bypass prevention
    severity: error
    description: >
      Ensure authentication cannot be bypassed.

  - id: SEC-040
    name: Timeout configuration
    severity: warning
    description: >
      All external calls must have timeouts configured.