Overview

Implement comprehensive middleware for input validation, error handling, rate limiting, and security headers to protect the GhostPaste API.

Tasks

• Create input validation middleware
• Create error handling middleware
• Implement Cloudflare rate limiting rules
• Configure CORS for production domain
• Add request timeout handling (50ms CPU limit)
• Implement security headers

Technical Requirements

• Edge runtime compatible middleware
• Zod or similar for schema validation
• Consistent error response format
• Rate limiting using Cloudflare's built-in features
• CORS configuration for ghostpaste.dev
• Security headers (CSP, HSTS, etc.)

Middleware Components

Input Validation

• Validate request body schemas
• Sanitize user inputs
• Check content-types
• Enforce size limits before processing

Error Handling

• Catch and format all errors consistently
• Log errors appropriately
• Return user-friendly error messages
• Hide internal implementation details

Rate Limiting

• Configure per-IP rate limits
• Different limits for different endpoints
• Return 429 with retry-after header

Security Headers

• Content-Security-Policy
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• Strict-Transport-Security

Acceptance Criteria

• All inputs validated before processing
• Errors return consistent JSON format
• Rate limiting prevents abuse (e.g., 10 requests/minute for POST)
• CORS allows only specified origins
• Security headers present on all responses
• CPU-intensive operations optimized for 50ms limit

Dependencies

• Can start alongside API development

References

• Cloudflare Security Headers
• See docs/PHASE_5_ISSUE_TRACKING.md for detailed specifications