feat: implement HTTPS security for banking client

[devin-ai-integration]

feat: implement banking-grade HTTPS and transport security

Summary

This PR implements comprehensive banking-grade HTTPS and transport security across both the React frontend (bank-client) and NestJS backend (bank-server). The implementation includes HTTPS enforcement, HSTS headers, certificate pinning, secure cookie settings, SSL/TLS database connections, and enhanced security headers.

Backend (bank-server) changes:

• Enhanced helmet configuration with HSTS (1-year max-age), Content Security Policy, and comprehensive security headers
• Updated CORS to enforce HTTPS-only origins in production environments
• Added SSL/TLS database connection configuration for encrypted data in transit
• Implemented secure cookie middleware with httpOnly, secure, and sameSite settings
• Added certificate pinning middleware for enhanced man-in-the-middle protection
• Created HTTPS redirect middleware for production environments
• Updated environment variables for SSL/TLS certificate configuration

Frontend (bank-client) changes:

• Updated API base URL to use HTTPS in both production and development
• Enhanced .htaccess with banking-grade security headers (HSTS, CSP, X-Frame-Options, etc.)
• Updated cookie handling to use secure cookie settings

Review & Testing Checklist for Human

⚠️ HIGH PRIORITY - These items require manual verification before deployment:

• Replace placeholder certificate hashes in src/middlewares/certificate-pinning.middleware.ts with actual SHA-256 hashes of your SSL certificates
• Verify production domains - Update hardcoded domains (pietrzakadrian.com, api.pietrzakadrian.com) to match your actual deployment domains
• Test database SSL connections - Ensure PostgreSQL SSL certificates are properly configured and database connections work with the new SSL settings
• Test HTTPS enforcement end-to-end - Verify HTTP to HTTPS redirects work correctly and security headers are present in production
• Verify CORS configuration - Ensure HTTPS-only CORS settings don't break legitimate cross-origin requests in your deployment environment

Recommended test plan:

1. Deploy to staging environment with proper SSL certificates
2. Test database connectivity with SSL enabled
3. Verify security headers using browser dev tools or online security scanners
4. Test API endpoints from frontend to ensure CORS works correctly
5. Verify cookie security settings in browser dev tools

---

Diagram

%%{ init : { "theme" : "default" }}%%
graph TB
    subgraph "Bank Server"
        main["src/main.ts<br/>Enhanced helmet & CORS"]:::major-edit
        app["src/modules/app/index.ts<br/>SSL DB config & middleware"]:::major-edit
        env[".env.example<br/>SSL environment vars"]:::minor-edit
        
        subgraph "New Security Middleware"
            cookie["src/middlewares/secure-cookie.middleware.ts"]:::major-edit
            pin["src/middlewares/certificate-pinning.middleware.ts"]:::major-edit
            https["src/middlewares/https-redirect.middleware.ts"]:::major-edit
        end
    end
    
    subgraph "Bank Client"
        api["app/utils/api.js<br/>HTTPS API URLs"]:::major-edit
        htaccess["app/.htaccess<br/>Security headers"]:::major-edit
        cookie_comp["app/components/ConstantCookie/index.js<br/>Secure cookies"]:::minor-edit
    end
    
    subgraph "Database"
        db["PostgreSQL<br/>SSL/TLS connections"]:::context
    end
    
    main --> cookie
    main --> pin
    main --> https
    app --> db
    api --> main
    
    subgraph Legend
        L1[Major Edit]:::major-edit
        L2[Minor Edit]:::minor-edit
        L3[Context/No Edit]:::context
    end
    
    classDef major-edit fill:#90EE90
    classDef minor-edit fill:#87CEEB
    classDef context fill:#FFFFFF

Loading

Notes

• Helmet version compatibility: Adjusted configuration for helmet v3.23.3 - some newer security options were removed due to version constraints
• Environment-dependent behavior: Heavy use of NODE_ENV === 'production' checks - ensure proper environment configuration
• Client build issues: Pre-existing webpack/offline-plugin errors prevented full client testing - these are unrelated to security changes
• Session details: Requested by Arthur Poon (@akkp-windsurf) - Devin session

⚠️ CRITICAL: The certificate pinning middleware contains placeholder SHA-256 hashes that MUST be replaced with actual certificate hashes before production deployment.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring