Week 1 Day 2-3: Complete remaining security fixes (SEC-6 through SEC-13)

Security Improvements:
- SEC-6: Remove password logging - write to secure file instead
- SEC-7: Add CSP headers for XSS prevention
- SEC-9: Explicitly configure Argon2id password hashing
- SEC-11: Restrict CORS to specific origins (production + localhost)
- SEC-12: Implement comprehensive security headers
- SEC-13: Explicit JWT expiration enforcement

Completed Features:
✓ Password credentials written to .admin-credentials file (600 permissions)
✓ CSP headers prevent XSS attacks
✓ Argon2id explicitly configured (Algorithm::Argon2id)
✓ CORS restricted to connect.azcomputerguru.com + localhost
✓ Security headers: X-Frame-Options, X-Content-Type-Options, etc.
✓ JWT expiration strictly enforced (validate_exp=true, leeway=0)

Files Created:
- server/src/middleware/security_headers.rs
- WEEK1_DAY2-3_SECURITY_COMPLETE.md

Files Modified:
- server/src/main.rs (password file write, CORS, security headers)
- server/src/auth/jwt.rs (explicit expiration validation)
- server/src/auth/password.rs (explicit Argon2id)
- server/src/middleware/mod.rs (added security_headers)

Week 1 Progress: 10/13 items complete (77%)
Compilation: SUCCESS (53 warnings, 0 errors)
Risk Level: CRITICAL → LOW/MEDIUM

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

projects/msp-tools/guru-connect/server/src/middleware/mod.rs

@@ -9,3 +9,8 @@
 //     support_code_rate_limiter,
 //     api_rate_limiter,
 // };
+
+// SEC-7 & SEC-12: Security headers middleware
+pub mod security_headers;
+
+pub use security_headers::add_security_headers;

projects/msp-tools/guru-connect/server/src/middleware/security_headers.rs

@@ -0,0 +1,75 @@
+//! Security headers middleware
+//!
+//! SEC-7: XSS Prevention via Content-Security-Policy
+//! SEC-12: Additional security headers
+
+use axum::{
+    extract::Request,
+    middleware::Next,
+    response::Response,
+};
+
+/// Add security headers to all responses
+pub async fn add_security_headers(
+    request: Request,
+    next: Next,
+) -> Response {
+    let mut response = next.run(request).await;
+    let headers = response.headers_mut();
+
+    // SEC-7: Content Security Policy (XSS Prevention)
+    // This CSP allows inline scripts/styles (needed for dashboard) but blocks external resources
+    headers.insert(
+        "Content-Security-Policy",
+        "default-src 'self'; \
+         script-src 'self' 'unsafe-inline'; \
+         style-src 'self' 'unsafe-inline'; \
+         img-src 'self' data:; \
+         font-src 'self'; \
+         connect-src 'self' ws: wss:; \
+         frame-ancestors 'none'; \
+         base-uri 'self'; \
+         form-action 'self'"
+            .parse()
+            .unwrap(),
+    );
+
+    // SEC-12: X-Frame-Options (Clickjacking protection)
+    headers.insert(
+        "X-Frame-Options",
+        "DENY".parse().unwrap(),
+    );
+
+    // SEC-12: X-Content-Type-Options (MIME sniffing protection)
+    headers.insert(
+        "X-Content-Type-Options",
+        "nosniff".parse().unwrap(),
+    );
+
+    // SEC-12: X-XSS-Protection (Legacy XSS filter - deprecated but still useful)
+    headers.insert(
+        "X-XSS-Protection",
+        "1; mode=block".parse().unwrap(),
+    );
+
+    // SEC-12: Referrer-Policy (Control referrer information)
+    headers.insert(
+        "Referrer-Policy",
+        "strict-origin-when-cross-origin".parse().unwrap(),
+    );
+
+    // SEC-12: Permissions-Policy (Feature policy)
+    headers.insert(
+        "Permissions-Policy",
+        "geolocation=(), microphone=(), camera=()".parse().unwrap(),
+    );
+
+    // SEC-10: Strict-Transport-Security (HSTS - only when using HTTPS)
+    // Uncomment when HTTPS is enabled:
+    // headers.insert(
+    //     "Strict-Transport-Security",
+    //     "max-age=31536000; includeSubDomains; preload".parse().unwrap(),
+    // );
+
+    response
+}