feat: implement API middleware and security #108
Description
Overview
Implement comprehensive middleware for input validation, error handling, rate limiting, and security headers to protect the GhostPaste API.
Tasks
- Create input validation middleware
- Create error handling middleware
- Implement Cloudflare rate limiting rules
- Configure CORS for production domain
- Add request timeout handling (50ms CPU limit)
- Implement security headers
Technical Requirements
- Edge runtime compatible middleware
- Zod or similar for schema validation
- Consistent error response format
- Rate limiting using Cloudflare's built-in features
- CORS configuration for ghostpaste.dev
- Security headers (CSP, HSTS, etc.)
Middleware Components
Input Validation
- Validate request body schemas
- Sanitize user inputs
- Check content-types
- Enforce size limits before processing
Error Handling
- Catch and format all errors consistently
- Log errors appropriately
- Return user-friendly error messages
- Hide internal implementation details
Rate Limiting
- Configure per-IP rate limits
- Different limits for different endpoints
- Return 429 with retry-after header
Security Headers
- Content-Security-Policy
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Strict-Transport-Security
Acceptance Criteria
- All inputs validated before processing
- Errors return consistent JSON format
- Rate limiting prevents abuse (e.g., 10 requests/minute for POST)
- CORS allows only specified origins
- Security headers present on all responses
- CPU-intensive operations optimized for 50ms limit
Dependencies
- Can start alongside API development
References
- Cloudflare Security Headers
- See docs/PHASE_5_ISSUE_TRACKING.md for detailed specifications