api key and security

config/security.yaml

@@ -0,0 +1,53 @@
+# Güvenlik ayarları
+security:
+  # API Key Authentication
+  require_api_key: true  # true ise tüm endpoint'ler API key gerektirir
+  api_keys:
+    # API key'ler: key -> {name, rate_limit, enabled}
+    # Örnek API key'ler (production'da değiştirilmeli!)
+    demo_key_12345:
+      name: "Demo API Key"
+      rate_limit: 100  # Dakikada maksimum istek
+      enabled: true
+      created_at: "2025-01-01"
+    
+    # Daha fazla API key eklenebilir
+    # production_key_xyz:
+    #   name: "Production Key"
+    #   rate_limit: 1000
+    #   enabled: true
+  
+  # Rate Limiting (IP bazlı, API key yoksa)
+  default_rate_limit: 60  # Dakikada maksimum istek
+  rate_limit_by_endpoint:
+    "/": 60  # Ana feed endpoint
+    "/health": 120  # Health check daha fazla izin ver
+    "/info": 120  # Info endpoint
+  
+  # Input Validation
+  max_input_length:
+    channel_id: 50
+    channel_handle: 50
+    channel_url: 200
+    max_items: 500
+  
+  # CORS Settings
+  cors:
+    enabled: true
+    allowed_origins:
+      - "*"  # Production'da spesifik domain'ler belirtilmeli
+    allowed_methods:
+      - "GET"
+      - "OPTIONS"
+    allowed_headers:
+      - "Content-Type"
+      - "X-API-Key"
+  
+  # Security Headers
+  security_headers:
+    X-Content-Type-Options: "nosniff"
+    X-Frame-Options: "DENY"
+    X-XSS-Protection: "1; mode=block"
+    Strict-Transport-Security: "max-age=31536000; includeSubDomains"  # HTTPS için
+    Content-Security-Policy: "default-src 'self'"
+