import helmet from 'helmet';
import cors from 'cors';
import hpp from 'hpp';
import compression from 'compression';
import { env } from '../config/env';
import { Express } from 'express';

export function setupSecurity(app: Express): void {
    // Helmet - secure HTTP headers
    app.use(helmet({
        contentSecurityPolicy: env.NODE_ENV === 'production' ? undefined : false,
        crossOriginEmbedderPolicy: false,
    }));

    // CORS
    app.use(cors({
        origin: [env.FRONTEND_URL, 'chrome-extension://*'],
        credentials: true,
        methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
        allowedHeaders: ['Content-Type', 'Authorization', 'X-License-Key'],
    }));

    // HTTP Parameter Pollution protection
    app.use(hpp());

    // Compression
    app.use(compression());
}