sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4748368809c9e27e8ef4ecd462a5ec4a9d75adb1
orion/.security-rules/api_security.yaml
Samir Boulahtit 26b3dc9e3b feat: add unified code quality dashboard with multiple validators 
- Add validator_type field to scans and violations (architecture,
  security, performance)
- Create security validator with SEC-xxx rules
- Create performance validator with PERF-xxx rules
- Add base validator class for shared functionality
- Add validate_all.py script to run all validators
- Update code quality service with validator type filtering
- Add validator type tabs to dashboard UI
- Add validator type filter to violations list
- Update stats response with per-validator breakdown
- Add security and performance rules documentation
- Add chat-bubble icons to icon library

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-21 20:57:47 +01:00

67 lines
1.6 KiB
YAML
Raw Blame History

# API Security Rules
# ==================
api_security_rules:
- id: SEC-031
name: CORS origin validation
severity: error
description: >
CORS must not allow all origins in production.
Specify allowed origins explicitly.
- id: SEC-032
name: Rate limiting on sensitive endpoints
severity: warning
description: >
Auth, password reset, and payment endpoints need rate limiting.
- id: SEC-033
name: Security headers
severity: warning
description: >
Configure security headers like X-Content-Type-Options,
X-Frame-Options, Content-Security-Policy.
- id: SEC-034
name: HTTPS enforcement
severity: error
description: >
External URLs must use HTTPS.
HTTP is only acceptable for localhost.
- id: SEC-035
name: Request size limits
severity: warning
description: >
Limit request body size to prevent DoS attacks.
- id: SEC-036
name: Input validation with Pydantic
severity: warning
description: >
All API inputs should be validated using Pydantic models.
- id: SEC-037
name: API versioning
severity: info
description: >
APIs should be versioned for security update isolation.
- id: SEC-038
name: Method restrictions
severity: warning
description: >
Endpoints should only allow necessary HTTP methods.
- id: SEC-039
name: Authentication bypass prevention
severity: error
description: >
Ensure authentication cannot be bypassed.
- id: SEC-040
name: Timeout configuration
severity: warning
description: >
All external calls must have timeouts configured.
Reference in New Issue View Git Blame Copy Permalink