# Güvenlik ayarları
security:
  # API Key Authentication
  require_api_key: true  # true ise tüm endpoint'ler API key gerektirir
  api_keys:
    # API key'ler: key -> {name, rate_limit, enabled}
    # Örnek API key'ler (production'da değiştirilmeli!)
    demo_key_12345:
      name: "Demo API Key"
      rate_limit: 100  # Dakikada maksimum istek
      enabled: true
      created_at: "2025-01-01"
    
    # Daha fazla API key eklenebilir
    # production_key_xyz:
    #   name: "Production Key"
    #   rate_limit: 1000
    #   enabled: true
  
  # Rate Limiting (IP bazlı, API key yoksa)
  default_rate_limit: 60  # Dakikada maksimum istek
  rate_limit_by_endpoint:
    "/": 60  # Ana feed endpoint
    "/health": 120  # Health check daha fazla izin ver
    "/info": 120  # Info endpoint
  
  # Input Validation
  max_input_length:
    channel_id: 50
    channel_handle: 50
    channel_url: 200
    max_items: 500
  
  # CORS Settings
  cors:
    enabled: true
    allowed_origins:
      - "*"  # Production'da spesifik domain'ler belirtilmeli
    allowed_methods:
      - "GET"
      - "OPTIONS"
    allowed_headers:
      - "Content-Type"
      - "X-API-Key"
  
  # Security Headers
  security_headers:
    X-Content-Type-Options: "nosniff"
    X-Frame-Options: "DENY"
    X-XSS-Protection: "1; mode=block"
    Strict-Transport-Security: "max-age=31536000; includeSubDomains"  # HTTPS için
    Content-Security-Policy: "default-src 'self'"