Implement security enhancements: add rate limiting, enforce HTTPS, an…

[joelbyford]

This pull request introduces major security improvements and new documentation for the BasicAuth middleware, along with a new test harness for local authentication testing. The most important changes include enforcing HTTPS/TLS, adding rate limiting and lockout mechanisms for failed authentication attempts, updating documentation to emphasize secure credential handling, and providing a runnable test harness for verifying middleware behavior.

Security Enhancements:

• Enforced HTTPS/TLS: The middleware now rejects non-secure (non-HTTPS) requests, ensuring credentials are not sent over unencrypted channels.
• Implemented rate limiting and lockout: Tracks failed authentication attempts by IP and username, locking out clients after too many failures within a time window. [1] [2]

Credential Handling Improvements:

• Updated documentation and code examples to source credentials from environment variables or secure files, discouraging hardcoded secrets and providing guidance on secure configuration. [1] [2]

Test Harness and Documentation:

• Added a local authentication test harness (harness/BasicAuthHarness) with example endpoints and test scripts for verifying middleware behavior. [1] [2] [3]
• Created a changelog (CHANGELOG.md) and expanded README to include security requirements, usage guidance, and testing instructions. [1] [2] [3]

Project Structure and Versioning:

• Bumped package version to 2.0.0 and updated project file to remove test harness files from compilation for the main library.

Security Review Prompts:

• Added GitHub prompts for security review and mitigation planning to help maintainers address security concerns proactively. (.github/prompts/review.security.md)…d update examples to use environment variables

[Copilot]

Pull request overview

This PR upgrades the BasicAuth middleware with HTTPS enforcement plus in-memory rate limiting/lockout, and adds documentation + a local harness to manually validate authentication behavior.

Changes:

• Add HTTPS/TLS enforcement and IP/username-based lockout/rate limiting to BasicAuth middleware.
• Add a runnable local harness with curl/HTTP scripts for manual verification.
• Update README + add CHANGELOG and security review prompt documentation.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
BasicAuth.cs	Adds HTTPS checks, credential parsing hardening, fixed-time comparison, and throttling/lockout state.
BasicAuth.csproj	Bumps package version to 2.0.0 and excludes harness code from library compilation.
README.md	Documents security requirements, safer credential handling, and harness usage.
CHANGELOG.md	Introduces a changelog entry for v2.0.0 security updates.
harness/BasicAuthHarness/Program.cs	Minimal app wiring to run the middleware locally.
harness/BasicAuthHarness/BasicAuthHarness.csproj	Adds the harness project definition referencing the main library.
harness/BasicAuthHarness/testing/test-auth.ps1	PowerShell curl-based manual test script.
harness/BasicAuthHarness/testing/manualtesting.http	REST Client manual test definitions.
.github/prompts/review.security.md	Adds repository prompts for security review and mitigation planning.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@joelbyford I've opened a new pull request, #7, to work on those changes. Once the pull request is ready, I'll request review from you.