hardening

gms1 · gms1 · commit 67353fe2d1cf · 2026-03-28T09:36:54.000+01:00
- Linux hardening flags (all builds):
  -fstack-protector-strong - Stack canary protection
  -fPIC - Position Independent Code
  -Wl,-z,relro,-z,now - Full RELRO (Read-only GOT)

- Linux Release-only flags (via configurations.Release):

  _FORTIFY_SOURCE=2 - Buffer overflow detection
  -fcf-protection=full - Control Flow Integrity (Intel CET)

- macOS hardening flags (all builds):

  -fstack-protector-strong in OTHER_CFLAGS

- Windows hardening flags (all builds):

  BufferSecurityCheck: "true" (/GS)
  ControlFlowGuard: "Guard" (/guard:cf)
  /DYNAMICBASE - ASLR support
  /NXCOMPAT - DEP/NX bit support

- Windows Release-only flags:

  /sdl - Additional security checks
diff --git a/binding.gyp b/binding.gyp
@@ -11,6 +11,7 @@
       "xcode_settings": {
         "CLANG_CXX_LIBRARY": "libc++",
         "MACOSX_DEPLOYMENT_TARGET": "10.7",
+        "OTHER_CFLAGS": [ "-fstack-protector-strong" ]
       },
       "include_dirs": [
         "<!@(node -p \"require('node-addon-api').include\")"],
@@ -39,15 +40,54 @@
               "deps/sqlite3.gyp:sqlite3"
             ]
         }
-        ]
+        ],
+        # Linux hardening flags (apply to all builds)
+        ["OS=='linux'", {
+          "cflags+": [
+            "-fstack-protector-strong",
+            "-fPIC"
+          ],
+          "ldflags+": [ "-Wl,-z,relro,-z,now" ]
+        }],
+        # Windows hardening flags (apply to all builds)
+        ["OS=='win'", {
+          "msvs_settings": {
+            "VCCLCompilerTool": {
+              "ExceptionHandling": 1,
+              "BufferSecurityCheck": "true",
+              "ControlFlowGuard": "Guard"
+            },
+            "VCLinkerTool": {
+              "AdditionalOptions": [ "/DYNAMICBASE", "/NXCOMPAT" ]
+            }
+          }
+        }]
       ],
       "sources": [
         "src/backup.cc",
         "src/database.cc",
         "src/node_sqlite3.cc",
         "src/statement.cc"
       ],
-      "defines": [ "NAPI_VERSION=<(napi_build_version)" ]
+      "defines": [ "NAPI_VERSION=<(napi_build_version)" ],
+      # Release-specific hardening flags
+      "configurations": {
+        "Release": {
+          "conditions": [
+            ["OS=='linux'", {
+              "defines+": [ "_FORTIFY_SOURCE=2" ],
+              "cflags+": [ "-fcf-protection=full" ]
+            }],
+            ["OS=='win'", {
+              "msvs_settings": {
+                "VCCLCompilerTool": {
+                  "AdditionalOptions": [ "/sdl" ]
+                }
+              }
+            }]
+          ]
+        }
+      }
     }
   ]
 }
