Harden Spring Security configuration and enforce HTTPS

- All requests now require HTTPS.
- Stateless sessions enabled for JWT-based auth.
- XSS, HSTS, and Frame-Options headers added.
- /api/auth/** is public, all other routes require authentication.
- CSRF disabled (assumes token-based auth).

src/main/java/com/skycrate/backend/skycrateBackend/config/SecurityConfig.java

@@ -1,23 +1,51 @@
-// package com.skycrate.backend.skycrateBackend.config;
+package com.skycrate.backend.skycrateBackend.config;
 
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.header.writers.HstsHeaderWriter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
-// import org.springframework.context.annotation.Bean;
-// import org.springframework.context.annotation.Configuration;
-// import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-// import org.springframework.security.web.SecurityFilterChain;
+@Configuration
+public class SecurityConfig {
 
-// @Configuration
-// public class SecurityConfig {
+    private final AuthenticationProvider authenticationProvider;
 
-//     @Bean
-//     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-//         http
-//                 .csrf(csrf -> csrf.disable()) // Disable CSRF for testing APIs
-//                 .authorizeHttpRequests(auth -> auth
-//                         .requestMatchers("/api/hdfs/**").permitAll() // Allow HDFS endpoints
-//                         .anyRequest().authenticated() // Everything else needs auth
-//                 );
+    public SecurityConfig(AuthenticationProvider authenticationProvider) {
+        this.authenticationProvider = authenticationProvider;
+    }
 
-//         return http.build();
-//     }
-// }
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http
+                .csrf(csrf -> csrf.disable()) // if using JWT; enable if using sessions
+                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .authenticationProvider(authenticationProvider)
+                .authorizeHttpRequests(auth -> auth
+                        .requestMatchers("/api/auth/**").permitAll()
+                        .requestMatchers(HttpMethod.GET, "/public/**").permitAll()
+                        .anyRequest().authenticated()
+                )
+                .requiresChannel(channel -> channel
+                        .anyRequest().requiresSecure()
+                )
+                .headers(headers -> headers
+                        .httpStrictTransportSecurity(hsts -> hsts
+                                .includeSubDomains(true)
+                                .maxAgeInSeconds(31536000)
+                        )
+                        .xssProtection(xss -> xss
+                                .block(true)
+                        )
+                        .frameOptions(frame -> frame
+                                .deny()
+                        )
+                );
+
+        return http.build();
+    }
+}