feat: implement banking-grade HTTPS and transport security

[devin-ai-integration]

feat: implement banking-grade HTTPS and transport security

Summary

This PR implements comprehensive banking-grade HTTPS and transport security across both the React frontend (bank-client) and NestJS backend (bank-server). The implementation includes HTTPS enforcement, HSTS headers, certificate pinning, secure cookie settings, SSL/TLS database connections, and enhanced security headers following industry best practices for financial applications.

Backend (bank-server) Changes:

• Enhanced helmet configuration with HSTS (1-year max-age), comprehensive CSP policy, and banking-grade security headers
• Updated CORS to enforce HTTPS-only origins in production
• Added SSL/TLS database connection configuration with certificate-based authentication
• Implemented three new security middleware: HTTPS redirect, secure cookie handling, and certificate pinning
• Updated environment variables for SSL/TLS certificates and HTTPS configuration

Frontend (bank-client) Changes:

• Updated API base URL to use HTTPS in both development and production
• Enhanced .htaccess with banking-grade security headers (HSTS, CSP, X-Frame-Options, etc.)
• Updated cookie component to use secure cookie settings (httpOnly, secure, sameSite)

Review & Testing Checklist for Human

🔴 HIGH PRIORITY - Must verify before merge:

• Test HTTPS functionality end-to-end including redirects and security headers in a browser
• Replace certificate pinning placeholder hashes in certificate-pinning.middleware.ts with actual certificate SHA-256 hashes
• Verify SSL database connection works with your actual PostgreSQL setup (test with SSL environment variables)
• Confirm secure cookie settings don't break existing authentication flows
• Test that CSP headers don't block any required resources or break existing functionality

⚠️ MEDIUM PRIORITY:

• Verify production domain names in CORS configuration match your actual deployment domains
• Test .htaccess security headers work correctly on your web server setup
• Confirm all SSL environment variables are properly configured in production environment

Recommended Test Plan:

1. Start both applications locally and verify they connect over HTTPS
2. Use browser dev tools to inspect security headers are present and correct
3. Test authentication flow to ensure secure cookies work properly
4. Deploy to staging environment and test certificate pinning (after updating hashes)
5. Verify database connections work with SSL enabled

---

Diagram

%%{ init : { "theme" : "default" }}%%
flowchart TD
    subgraph "Backend Security Flow"
        main["src/main.ts<br/>Enhanced Helmet + CORS"]:::major-edit
        app["src/modules/app/index.ts<br/>SSL DB + Middleware Registration"]:::major-edit
        
        subgraph "New Security Middleware"
            https["src/middlewares/https-redirect.middleware.ts"]:::major-edit
            cookies["src/middlewares/secure-cookie.middleware.ts"]:::major-edit
            pinning["src/middlewares/certificate-pinning.middleware.ts"]:::major-edit
        end
        
        env["src/.env.example<br/>SSL Environment Variables"]:::minor-edit
    end
    
    subgraph "Frontend Security"
        api["app/utils/api.js<br/>HTTPS API URLs"]:::major-edit
        htaccess["app/.htaccess<br/>Security Headers"]:::major-edit
        cookie_comp["app/components/ConstantCookie/index.js<br/>Secure Cookie Settings"]:::minor-edit
    end
    
    main --> app
    app --> https
    app --> cookies
    app --> pinning
    main --> env
    
    api -.->|"HTTPS Requests"| main
    
    subgraph Legend
        L1[Major Edit]:::major-edit
        L2[Minor Edit]:::minor-edit
        L3[Context/No Edit]:::context
    end

classDef major-edit fill:#90EE90
classDef minor-edit fill:#87CEEB
classDef context fill:#FFFFFF

Loading

Notes

• Helmet Version: Using helmet v3.23.3 (older version) - had to adjust configuration for compatibility
• Certificate Pinning: Currently contains placeholder SHA-256 hashes that MUST be replaced with real certificate hashes before production deployment
• Environment Setup: New SSL environment variables need to be configured in production
• Testing Limitation: Client build had webpack errors, so end-to-end HTTPS testing was not completed
• Production Domains: Assumed pietrzakadrian.com domains - please verify these match your actual deployment setup

Session Info: Requested by @akkp-windsurf
Devin Session: https://app.devin.ai/sessions/b23dbdf6062d4995b1581d584c1cf76d

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring