Merge pull request #27 from soapbucket/adding-new-features

refactor: security_headers array format and session field rename

Author: rickcrawford

docs/config.md

@@ -132,7 +132,7 @@ Each key in `origins:` is a hostname. The value is an origin config object.
 | `request_modifiers` | []object | — | Request modification rules (see section 8) |
 | `response_modifiers` | []object | — | Response modification rules (see section 8) |
 | `forward_rules` | []object | — | Path-based routing rules (see section 9) |
-| `session_config` | object | — | Session settings (see section 10) |
+| `session` | object | none | Session settings (see section 10) |
 | `error_pages` | []object | — | Custom error page definitions (see section 11) |
 | `variables` | object | — | Key-value variables for template use (see section 12) |
 | `secrets` | object | — | Secret references (see section 12) |
@@ -848,46 +848,42 @@ policies:
 | Field | Type | Default | Description |
 |---|---|---|---|
 | `type` | string | — | `"security_headers"` |
-| `strict_transport_security` | object | — | HSTS policy |
-| `content_security_policy` | object | — | CSP policy |
-| `x_frame_options` | object | — | X-Frame-Options |
-| `x_content_type_options` | object | — | X-Content-Type-Options |
-| `x_xss_protection` | object | — | X-XSS-Protection |
-| `referrer_policy` | object | — | Referrer-Policy |
-| `permissions_policy` | object | — | Permissions-Policy |
-
-**HSTSConfig:**
-
-| Field | Type | Default | Description |
-|---|---|---|---|
-| `enabled` | bool | false | Enable HSTS header |
-| `max_age` | int | 0 | `max-age` in seconds |
-| `include_subdomains` | bool | false | Include subdomains |
-| `preload` | bool | false | Include preload directive |
+| `headers` | []object | none | List of `{name, value}` response headers to set (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-* etc.) |
+| `content_security_policy` | object | none | Advanced CSP block (nonce injection, report-only, per-route policies) |
 
 **CSPConfig:**
 
 | Field | Type | Default | Description |
 |---|---|---|---|
-| `enabled` | bool | false | Enable CSP header |
-| `policy` | string | `""` | Simple policy string |
+| `policy` | string | `""` | Base CSP policy string |
+| `enable_nonce` | bool | false | Inject per-request nonce in `script-src`/`style-src` |
 | `report_only` | bool | false | Use `Content-Security-Policy-Report-Only` |
 | `report_uri` | string | `""` | Violation report endpoint |
-| `directives` | object | — | Structured CSP directives |
+| `dynamic_routes` | map | none | Route-prefix to override CSP policy |
 
 ```yaml
 policies:
   - type: security_headers
-    strict_transport_security:
-      enabled: true
-      max_age: 31536000
-      include_subdomains: true
-    x_frame_options:
-      enabled: true
-      value: DENY
-    x_content_type_options:
-      enabled: true
-      no_sniff: true
+    headers:
+      - name: Strict-Transport-Security
+        value: "max-age=31536000; includeSubDomains"
+      - name: X-Frame-Options
+        value: DENY
+      - name: X-Content-Type-Options
+        value: nosniff
+      - name: Referrer-Policy
+        value: strict-origin-when-cross-origin
+      - name: Permissions-Policy
+        value: "camera=()"
+    # Optional: detailed CSP block for nonce / dynamic routes only.
+    content_security_policy:
+      policy: "default-src 'self'"
+      enable_nonce: false     # true to inject per-request nonce in script-src/style-src
+      report_only: false
+      report_uri: ""
+      # dynamic_routes:
+      #   "/admin":
+      #     policy: "default-src 'self' admin.example.com"
 ```
 
 ### 5.7 `request_limiting` - Request Size Limiting
@@ -1309,14 +1305,14 @@ forward_rules:
 
 ---
 
-## 10. Session Config (`session_config`)
+## 10. Session Config (`session`)
 
 | Field | Type | Default | Description |
 |---|---|---|---|
 | `disabled` | bool | false | Disable session management |
 | `cookie_name` | string | `""` | Session cookie name |
-| `cookie_max_age` | int | 0 | Session cookie max age in seconds |
-| `cookie_same_site` | string | `""` | `Strict`, `Lax`, `None` |
+| `max_age` | int | 0 | Session cookie max age in seconds |
+| `same_site` | string | `""` | `Strict`, `Lax`, `None` |
 | `disable_http_only` | bool | false | Remove HttpOnly flag from cookie |
 | `allow_non_ssl` | bool | false | Allow sessions over HTTP |
 | `enable_cookie_jar` | bool | false | Proxy backend Set-Cookie headers via session |

docs/configuration.md

@@ -105,7 +105,7 @@ origins:
     variables: { ... }
     vaults: { ... }
     secrets: { ... }
-    session_config: { ... }
+    session: { ... }
     events: [ ... ]
     cors: { ... }
     compression: { ... }
@@ -258,7 +258,7 @@ origins:
     variables: { ... }           # Optional: template variables
     vaults: { ... }              # Optional: secret vault backends
     secrets: { ... }             # Optional: secret references
-    session_config: { ... }      # Optional: session/cookie settings
+    session: { ... }             # Optional: session/cookie settings
     on_load: [ ... ]             # Optional: startup callbacks
     on_request: [ ... ]          # Optional: per-request callbacks
     on_response: [ ... ]         # Optional: post-response callbacks
@@ -982,35 +982,34 @@ Inject security headers into every response. Use this to harden browser security
 ```yaml
 policies:
   - type: security_headers
-    strict_transport_security:
-      enabled: true
-      max_age: 31536000
-      include_subdomains: true
-      preload: true
+    headers:
+      - name: Strict-Transport-Security
+        value: "max-age=31536000; includeSubDomains; preload"
+      - name: X-Frame-Options
+        value: DENY
+      - name: X-Content-Type-Options
+        value: nosniff
+      - name: Referrer-Policy
+        value: strict-origin-when-cross-origin
+      - name: Permissions-Policy
+        value: "camera=(), microphone=(), geolocation=()"
+    # Optional: detailed CSP block for nonce / dynamic routes only.
     content_security_policy:
       policy: "default-src 'self'; script-src 'self' https://cdn.example.com"
-    x_frame_options:
-      value: DENY
-    x_content_type_options:
-      enabled: true
-    referrer_policy:
-      value: strict-origin-when-cross-origin
-    permissions_policy:
-      policy: "camera=(), microphone=(), geolocation=()"
+      enable_nonce: false     # true to inject per-request nonce in script-src/style-src
+      report_only: false
+      report_uri: ""
+      # dynamic_routes:
+      #   "/admin":
+      #     policy: "default-src 'self' admin.example.com"
 ```
 
+Use `headers` as a simple list of `{name, value}` pairs for any response header (HSTS, Cross-Origin-*, COEP/COOP/CORP, Referrer-Policy, Permissions-Policy, etc.). The optional `content_security_policy` block is for advanced CSP behavior only (per-request nonce injection, report-only mode, per-route overrides). For a plain CSP without nonce or dynamic routes, just add a `Content-Security-Policy` entry to `headers` directly.
+
 | Field | Type | Default | Description |
 |-------|------|---------|-------------|
-| `strict_transport_security` | object | | HSTS settings (max_age, include_subdomains, preload) |
-| `content_security_policy` | object | | CSP policy string |
-| `x_frame_options` | object | | Frame embedding control (DENY, SAMEORIGIN) |
-| `x_content_type_options` | object | | Prevent MIME type sniffing |
-| `x_xss_protection` | object | | XSS filter (legacy browsers) |
-| `referrer_policy` | object | | Controls Referer header |
-| `permissions_policy` | object | | Feature permissions |
-| `cross_origin_embedder_policy` | object | | COEP header |
-| `cross_origin_opener_policy` | object | | COOP header |
-| `cross_origin_resource_policy` | object | | CORP header |
+| `headers` | []object | | List of `{name, value}` response headers to inject |
+| `content_security_policy` | object | | Advanced CSP block (nonce injection, report-only, per-route policies) |
 
 ### csrf
 
@@ -1577,10 +1576,10 @@ Configure session behavior for an origin. Sessions are stored in encrypted cooki
 ```yaml
 origins:
   "app.example.com":
-    session_config:
+    session:
       cookie_name: sb_session
-      cookie_max_age: 3600
-      cookie_same_site: Strict
+      max_age: 3600
+      same_site: Strict
       disable_http_only: false
       allow_non_ssl: false
       enable_cookie_jar: true
@@ -1594,8 +1593,8 @@ origins:
 |-------|------|---------|-------------|
 | `disabled` | bool | false | Disable sessions entirely |
 | `cookie_name` | string | sb_session | Session cookie name |
-| `cookie_max_age` | int | 3600 | Cookie lifetime in seconds |
-| `cookie_same_site` | string | Lax | SameSite attribute (Strict, Lax, None) |
+| `max_age` | int | 3600 | Cookie lifetime in seconds |
+| `same_site` | string | Lax | SameSite attribute (Strict, Lax, None) |
 | `disable_http_only` | bool | false | If true, cookie is accessible to JavaScript |
 | `allow_non_ssl` | bool | false | Allow sessions over HTTP (not just HTTPS) |
 | `enable_cookie_jar` | bool | false | Store backend cookies in the session |
@@ -1905,7 +1904,7 @@ origins:
     variables: { ... }
     vaults: { ... }
     secrets: { ... }
-    session_config: { ... }
+    session: { ... }
     events: [ ... ]
     cors: { ... }
     compression: { ... }

docs/features.md

@@ -693,26 +693,26 @@ Inject security-oriented HTTP response headers.
 ```yaml
 policies:
   - type: security_headers
-    strict_transport_security:
-      enabled: true
-      max_age: 31536000
-      include_subdomains: true
-      preload: true
+    headers:
+      - name: Strict-Transport-Security
+        value: "max-age=31536000; includeSubDomains; preload"
+      - name: X-Frame-Options
+        value: DENY
+      - name: X-Content-Type-Options
+        value: nosniff
+      - name: Referrer-Policy
+        value: strict-origin-when-cross-origin
+      - name: Permissions-Policy
+        value: "camera=()"
+    # Optional: detailed CSP block for nonce / dynamic routes only.
     content_security_policy:
-      enabled: true
-      directives:
-        default_src: ["'self'"]
-        script_src: ["'self'", "'nonce-{generated}'"]
-        connect_src: ["'self'", "https://api.test.sbproxy.dev"]
-    x_frame_options:
-      enabled: true
-      value: DENY
-    x_content_type_options:
-      enabled: true
-      no_sniff: true
-    referrer_policy:
-      enabled: true
-      policy: strict-origin-when-cross-origin
+      policy: "default-src 'self'; script-src 'self' 'nonce-{generated}'; connect-src 'self' https://api.test.sbproxy.dev"
+      enable_nonce: true       # true to inject per-request nonce in script-src/style-src
+      report_only: false
+      report_uri: ""
+      # dynamic_routes:
+      #   "/admin":
+      #     policy: "default-src 'self' admin.example.com"
 ```
 
 ### Request Limiting
@@ -1276,10 +1276,10 @@ error_pages:
 sbproxy maintains a session layer for cookie-based state:
 
 ```yaml
-session_config:
+session:
   cookie_name: _sb_session
-  cookie_max_age: 3600          # 1 hour
-  cookie_same_site: Lax
+  max_age: 3600                 # 1 hour
+  same_site: Lax
   disable_http_only: false      # HttpOnly enabled by default
   allow_non_ssl: false          # Require HTTPS for session cookies
   enable_cookie_jar: true       # Proxy backend Set-Cookie via session
@@ -1307,7 +1307,7 @@ on_request:
     cache_duration: 60s
 
 # Session start callback
-session_config:
+session:
   on_session_start:
     - url: https://analytics.example.com/events
       method: POST

examples/13-security-headers.yml

@@ -57,43 +57,32 @@ origins:
 
     policies:
       # --- Security headers policy ---
+      # Canonical format: `headers` is an array of name/value pairs. The
+      # optional `content_security_policy` block is used only when you need
+      # per-request nonce injection or per-URL-prefix policies.
       - type: security_headers
+        headers:
+          - name: Strict-Transport-Security
+            value: "max-age=31536000; includeSubDomains"
+          - name: X-Frame-Options
+            value: SAMEORIGIN
+          - name: X-Content-Type-Options
+            value: nosniff
+          - name: Referrer-Policy
+            value: strict-origin-when-cross-origin
+          - name: Permissions-Policy
+            value: "camera=(), microphone=(), geolocation=()"
 
-        # HTTP Strict Transport Security (HSTS) - RFC 6797
-        strict_transport_security:
-          enabled: true
-          max_age: 31536000              # 1 year in seconds
-          include_subdomains: true       # Apply to all subdomains
-          preload: false                 # Add to browser preload list (use with caution)
-
-        # Content Security Policy (CSP)
+        # Advanced CSP block. Leave this out for a simple static policy and
+        # put `Content-Security-Policy` in the `headers:` array instead.
         content_security_policy:
-          enabled: true
           policy: "default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'"
+          enable_nonce: false            # true to inject a per-request nonce
           report_only: false             # true = log violations but don't block
-
-        # X-Frame-Options: prevent clickjacking
-        x_frame_options:
-          enabled: true
-          value: SAMEORIGIN              # "DENY", "SAMEORIGIN", or "ALLOW-FROM <uri>"
-
-        # X-Content-Type-Options: prevent MIME sniffing
-        x_content_type_options:
-          enabled: true
-          no_sniff: true
-
-        # Referrer-Policy: control how much referrer info is sent
-        referrer_policy:
-          enabled: true
-          policy: strict-origin-when-cross-origin
-
-        # Permissions-Policy: control browser feature access
-        permissions_policy:
-          enabled: true
-          features:
-            camera: "()"               # Disallow camera access
-            microphone: "()"           # Disallow microphone access
-            geolocation: "()"          # Disallow geolocation
+          # report_uri: "/csp-report"    # optional report destination
+          # dynamic_routes:
+          #   "/admin":
+          #     policy: "default-src 'self' admin.example.com"
 
       # --- IP filtering policy ---
       - type: ip_filtering

examples/16-full-production.yml

@@ -93,22 +93,17 @@ origins:
 
       # Security headers
       - type: security_headers
-        strict_transport_security:
-          enabled: true
-          max_age: 31536000            # 1 year
-          include_subdomains: true
-        content_security_policy:
-          enabled: true
-          policy: "default-src 'self'; connect-src 'self' https://api.example.com"
-        x_frame_options:
-          enabled: true
-          value: DENY                  # Never render in a frame
-        x_content_type_options:
-          enabled: true
-          no_sniff: true
-        referrer_policy:
-          enabled: true
-          policy: strict-origin-when-cross-origin
+        headers:
+          - name: Strict-Transport-Security
+            value: "max-age=31536000; includeSubDomains"
+          - name: Content-Security-Policy
+            value: "default-src 'self'; connect-src 'self' https://api.example.com"
+          - name: X-Frame-Options
+            value: DENY                  # Never render in a frame
+          - name: X-Content-Type-Options
+            value: nosniff
+          - name: Referrer-Policy
+            value: strict-origin-when-cross-origin
 
     # --- Response caching ---
     response_cache:

internal/config/callback_template_e2e_test.go

@@ -107,10 +107,10 @@ func TestCallbackTemplateVariables_E2EConfig_Session(t *testing.T) {
 			"id": "lua-callback-session",
 			"hostname": "lua-callback-session.test",
 			"workspace_id": "test-workspace",
-			"session_config": {
+			"session": {
 				"enabled": true,
 				"cookie_name": "_sb.session",
-				"cookie_max_age": 3600,
+				"max_age": 3600,
 				"callbacks": [
 					{
 						"type": "http",