Enhance security features in ServerSync and TabSync

- Added security requirements and guidelines in IStoreHub.cs for authorization, document access validation, rate limiting, and message size limits.
- Implemented message signing, rate limiting, and message size validation in ServerSyncMiddleware.cs.
- Introduced ServerSyncOptions.cs properties for validation requirements, message size limits, rate limiting, and message signing.
- Created ServerSyncSecurityExtensions.cs for configuring secure defaults and validation callbacks.
- Updated StateUpdate.cs to include HMAC-SHA256 signature for message integrity verification.
- Enhanced TabSync with message signing capabilities and key derivation options in TabSyncOptions.cs.
- Added JavaScript function to derive signing key from window location for cross-tab synchronization.
- Updated test projects to target .NET 10 and updated dependencies for compatibility.
- Adjusted persistence tests to validate state serialization correctly.

Author: mashrulhaque

README.md

@@ -651,6 +651,18 @@ public class MyPlugin : StorePluginBase<AppState>
 
 ## Security
 
+**IMPORTANT**: Review [`docs/SECURITY.md`](docs/SECURITY.md) before deploying to production.
+
+### Critical Security Requirements
+
+Before production deployment:
+
+1. **Disable DevTools** - Use `#if DEBUG` to remove `.WithDevTools()`
+2. **Mark Sensitive Data** - Add `[SensitiveData]` to passwords, tokens, keys
+3. **Validate External State** - Implement `IStateValidator<T>` for persistence/sync
+4. **Never Persist Secrets** - Use `TransformOnSave` to exclude sensitive fields
+5. **Enable Message Signing** - Call `.EnableMessageSigning()` for TabSync
+
 ### Sensitive Data Filtering
 
 Prevent passwords/tokens from appearing in DevTools:
@@ -665,6 +677,16 @@ public record UserState(
 // In DevTools: { Name: "John", Password: "[REDACTED]", ApiToken: "[REDACTED]" }
 ```
 
+**WARNING**: DevTools should NEVER be shipped to production. Always use:
+
+```csharp
+#if DEBUG
+    .WithDefaults(sp, "MyStore")     // DevTools + Logging
+#else
+    .WithLogging()                   // Logging only
+#endif
+```
+
 ### State Validation
 
 ```csharp

samples/EasyAppDev.Blazor.Store.Sample/EasyAppDev.Blazor.Store.Sample.csproj

@@ -1,14 +1,14 @@
 <Project Sdk="Microsoft.NET.Sdk.BlazorWebAssembly">
 
   <PropertyGroup>
-    <TargetFramework>net8.0</TargetFramework>
+    <TargetFramework>net10.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.15" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.15" PrivateAssets="all" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="10.0.0-preview.1.25120.3" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="10.0.0-preview.1.25120.3" PrivateAssets="all" />
   </ItemGroup>
 
   <ItemGroup>

samples/EasyAppDev.Blazor.Store.Sample/Program.cs

@@ -23,7 +23,10 @@
 
 builder.Services.AddScoped(sp => new HttpClient { BaseAddress = new Uri(builder.HostEnvironment.BaseAddress) });
 
-// Register diagnostics service - only available in DEBUG builds
+// ============================================================================
+// SECURITY NOTE: Diagnostics are DEBUG-only and expose full state snapshots
+// Never ship diagnostic features to production
+// ============================================================================
 #if DEBUG
 builder.Services.AddStoreDiagnostics();
 #endif
@@ -46,6 +49,8 @@
 
 // ============================================================================
 // Counter Store - Basic example with DevTools and Logging
+// SECURITY: WithDefaults() includes DevTools - only use in DEBUG builds
+// For production, use .WithLogging() instead
 // ============================================================================
 builder.Services.AddStore(
     new CounterState(0),
@@ -92,6 +97,8 @@
 // Shopping Cart Store - Demonstrates persistence with LocalStorage
 // State survives page refreshes and browser restarts
 // WithPersistence automatically loads and saves state - no manual hydration needed!
+// SECURITY: For production with sensitive data, use TransformOnSave to exclude
+// sensitive fields and add IStateValidator to validate hydrated state
 // ============================================================================
 builder.Services.AddStore(
     ShoppingCartState.Empty,
@@ -185,6 +192,11 @@
 // ============================================================================
 // Tab Sync Demo Store - Demonstrates cross-tab synchronization
 // Real-time state sync across browser tabs using BroadcastChannel
+// SECURITY: For production with sensitive data, enable message signing:
+//   .EnableMessageSigning()
+//   .RequireValidSignature(true)
+//   .MaxMessageAgeSeconds(30)
+//   .ValidateTimestamp(true)
 // ============================================================================
 builder.Services.AddStore(
     TabSyncDemoState.Initial,
@@ -207,6 +219,9 @@
 // ============================================================================
 // Security Demo Store - Demonstrates sensitive data filtering
 // Properties marked with [SensitiveData] are filtered from DevTools
+// SECURITY BEST PRACTICE: Always mark passwords, tokens, API keys, and PII
+// with [SensitiveData] attribute to prevent exposure in DevTools/logs
+// Example: [property: SensitiveData] string Password
 // ============================================================================
 builder.Services.AddStore(
     SecurityDemoState.Initial,

samples/EasyAppDev.Blazor.Store.ServerSample/EasyAppDev.Blazor.Store.ServerSample.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>net8.0</TargetFramework>
+    <TargetFramework>net10.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>

samples/EasyAppDev.Blazor.Store.ServerSample/Program.cs

@@ -13,6 +13,8 @@
 
 // ============================================================================
 // SINGLETON STORE - Shared across ALL users (demonstrates the problem)
+// SECURITY: Singleton stores should NOT contain user-specific data
+// Use scoped stores for per-user isolation
 // ============================================================================
 builder.Services.AddStore(
     new SingletonCounterState(),
@@ -21,6 +23,8 @@
 // ============================================================================
 // SCOPED STORES - Isolated per user/circuit (the solution!)
 // With IServiceProvider access, DevTools now work!
+// SECURITY: Scoped stores provide per-user isolation - use for user-specific data
+// For production, wrap DevTools with #if DEBUG
 // ============================================================================
 
 // Scoped counter - each user gets their own

src/EasyAppDev.Blazor.Store/Blazor/StoreBuilderExtensions.cs

@@ -14,8 +14,9 @@ namespace EasyAppDev.Blazor.Store.Blazor;
 public static class StoreBuilderExtensions
 {
     /// <summary>
-    /// Applies default middleware configuration: DevTools and Logging.
+    /// Applies default middleware configuration: DevTools (DEBUG only) and Logging.
     /// Works in all render modes (Server, WebAssembly, Auto) with lazy IJSRuntime resolution.
+    /// DevTools are automatically disabled in Release builds for security.
     /// </summary>
     /// <typeparam name="TState">The type of state.</typeparam>
     /// <param name="builder">The store builder.</param>
@@ -28,10 +29,33 @@ public static StoreBuilder<TState> WithDefaults<TState>(
         string? storeName = null)
         where TState : notnull
     {
-        // Use service provider-based DevTools for lazy IJSRuntime resolution
-        // Works in Server (gracefully fails), WASM (succeeds), and Auto (Server→WASM transition)
-        return builder.WithDevTools(serviceProvider, storeName ?? typeof(TState).Name)
-                      .WithLogging();
+        return builder.WithDefaults(serviceProvider, storeName, includeDevTools: true);
+    }
+
+    /// <summary>
+    /// Applies default middleware configuration with explicit DevTools control.
+    /// DevTools are only active in DEBUG builds and can be further controlled via the includeDevTools parameter.
+    /// </summary>
+    /// <typeparam name="TState">The type of state.</typeparam>
+    /// <param name="builder">The store builder.</param>
+    /// <param name="serviceProvider">The service provider for resolving dependencies.</param>
+    /// <param name="storeName">The name to display in DevTools. Defaults to the state type name.</param>
+    /// <param name="includeDevTools">Whether to include DevTools (only works in DEBUG builds).</param>
+    /// <returns>The configured builder for chaining.</returns>
+    public static StoreBuilder<TState> WithDefaults<TState>(
+        this StoreBuilder<TState> builder,
+        IServiceProvider serviceProvider,
+        string? storeName,
+        bool includeDevTools)
+        where TState : notnull
+    {
+#if DEBUG
+        if (includeDevTools)
+        {
+            builder = builder.WithDevTools(serviceProvider, storeName ?? typeof(TState).Name);
+        }
+#endif
+        return builder.WithLogging();
     }
 
     /// <summary>

src/EasyAppDev.Blazor.Store/Core/StoreBuilder.cs

@@ -188,19 +188,26 @@ public StoreBuilder<TState> OnError(Action<StoreError<TState>> handler)
     /// <summary>
     /// Enables Redux DevTools integration with lazy IJSRuntime resolution.
     /// Works in all render modes: Server, WebAssembly, and Auto (Server → WASM).
+    /// WARNING: DevTools are only available in DEBUG builds. In Release builds, this method is a no-op.
+    /// DevTools expose your application state and should never be used in production.
     /// </summary>
     /// <param name="serviceProvider">Service provider to resolve IJSRuntime on-demand.</param>
     /// <param name="storeName">The name to display in DevTools. Defaults to the state type name.</param>
     /// <returns>The builder instance for chaining.</returns>
     public StoreBuilder<TState> WithDevTools(IServiceProvider serviceProvider, string? storeName = null)
     {
+#if DEBUG
         ArgumentNullException.ThrowIfNull(serviceProvider);
 
         var devToolsMiddleware = new DevToolsMiddleware<TState>(
             serviceProvider,
             storeName ?? typeof(TState).Name);
 
         return WithMiddleware(devToolsMiddleware);
+#else
+        // No-op in Release builds for security
+        return this;
+#endif
     }
 
     /// <summary>

src/EasyAppDev.Blazor.Store/DevTools/DevToolsBuilderExtensions.cs

@@ -12,8 +12,11 @@ namespace EasyAppDev.Blazor.Store.DevTools;
 /// </summary>
 public static class DevToolsBuilderExtensions
 {
+#if DEBUG
     /// <summary>
     /// Enables enhanced Redux DevTools integration with full time-travel support.
+    /// WARNING: DevTools are only available in DEBUG builds. In Release builds, this method is a no-op.
+    /// DevTools expose your application state and should never be used in production.
     /// </summary>
     /// <typeparam name="TState">The type of state.</typeparam>
     /// <param name="builder">The store builder.</param>
@@ -25,7 +28,7 @@ public static class DevToolsBuilderExtensions
     /// builder.WithEnhancedDevTools(sp, options =>
     /// {
     ///     options.Name = "MyStore";
-    ///     options.EnableStateEditing = true;
+    ///     options.EnableStateEditing = false;  // Disabled by default for security
     ///     options.MaxHistory = 50;
     ///     options.StateSanitizer = state => state with { Password = "***" };
     /// });
@@ -51,6 +54,8 @@ public static StoreBuilder<TState> WithEnhancedDevTools<TState>(
 
     /// <summary>
     /// Enables enhanced Redux DevTools with default configuration.
+    /// WARNING: DevTools are only available in DEBUG builds. In Release builds, this method is a no-op.
+    /// DevTools expose your application state and should never be used in production.
     /// </summary>
     /// <typeparam name="TState">The type of state.</typeparam>
     /// <param name="builder">The store builder.</param>
@@ -68,4 +73,33 @@ public static StoreBuilder<TState> WithEnhancedDevTools<TState>(
             options.Name = storeName;
         });
     }
+#else
+    /// <summary>
+    /// DevTools stub for Release builds. This method does nothing in production.
+    /// DevTools are disabled in Release builds for security reasons.
+    /// </summary>
+    public static StoreBuilder<TState> WithEnhancedDevTools<TState>(
+        this StoreBuilder<TState> builder,
+        IServiceProvider serviceProvider,
+        Action<DevToolsOptions<TState>>? configure = null)
+        where TState : notnull
+    {
+        // No-op in Release builds
+        return builder;
+    }
+
+    /// <summary>
+    /// DevTools stub for Release builds. This method does nothing in production.
+    /// DevTools are disabled in Release builds for security reasons.
+    /// </summary>
+    public static StoreBuilder<TState> WithEnhancedDevTools<TState>(
+        this StoreBuilder<TState> builder,
+        IServiceProvider serviceProvider,
+        string storeName)
+        where TState : notnull
+    {
+        // No-op in Release builds
+        return builder;
+    }
+#endif
 }

src/EasyAppDev.Blazor.Store/DevTools/DevToolsMiddleware.cs

@@ -1,3 +1,4 @@
+#if DEBUG
 using Microsoft.Extensions.Logging;
 using Microsoft.JSInterop;
 using System.Text.Json;
@@ -10,6 +11,8 @@ namespace EasyAppDev.Blazor.Store.DevTools;
 /// Middleware that integrates with Redux DevTools browser extension.
 /// Uses lazy IJSRuntime resolution via IServiceProvider for compatibility
 /// with Blazor Server, WebAssembly, and Auto render modes.
+/// IMPORTANT: This middleware is only available in DEBUG builds for security reasons.
+/// DevTools expose your application state and should never be used in production.
 /// </summary>
 /// <typeparam name="TState">The type of state managed by the store.</typeparam>
 public class DevToolsMiddleware<TState> : IMiddleware<TState>, IAsyncDisposable
@@ -188,3 +191,54 @@ public async ValueTask DisposeAsync()
         GC.SuppressFinalize(this);
     }
 }
+
+#else
+
+using EasyAppDev.Blazor.Store.Middleware;
+
+namespace EasyAppDev.Blazor.Store.DevTools;
+
+/// <summary>
+/// No-op DevTools middleware stub for Release builds.
+/// DevTools are disabled in production for security reasons.
+/// </summary>
+/// <typeparam name="TState">The type of state managed by the store.</typeparam>
+public class DevToolsMiddleware<TState> : IMiddleware<TState>, IAsyncDisposable
+    where TState : notnull
+{
+    /// <summary>
+    /// No-op constructor for Release builds.
+    /// </summary>
+    public DevToolsMiddleware(
+        IServiceProvider serviceProvider,
+        string storeName = "Store",
+        object? logger = null)
+    {
+    }
+
+    /// <summary>
+    /// No-op constructor for Release builds.
+    /// </summary>
+    public DevToolsMiddleware(
+        IServiceProvider serviceProvider,
+        string storeName,
+        object? options,
+        object? logger = null)
+    {
+    }
+
+    /// <inheritdoc />
+    public Task OnBeforeUpdateAsync(TState currentState, string? action) => Task.CompletedTask;
+
+    /// <inheritdoc />
+    public Task OnAfterUpdateAsync(TState previousState, TState currentState, string? action) => Task.CompletedTask;
+
+    /// <inheritdoc />
+    public ValueTask DisposeAsync()
+    {
+        GC.SuppressFinalize(this);
+        return ValueTask.CompletedTask;
+    }
+}
+
+#endif

src/EasyAppDev.Blazor.Store/DevTools/DevToolsOptions.cs

@@ -19,9 +19,10 @@ public class DevToolsOptions<TState> where TState : notnull
 
     /// <summary>
     /// Gets or sets whether time-travel debugging is enabled.
-    /// Default is true.
+    /// Default is false for security. Time-travel allows jumping to previous states,
+    /// which can expose historical sensitive data.
     /// </summary>
-    public bool EnableTimeTravel { get; set; } = true;
+    public bool EnableTimeTravel { get; set; } = false;
 
     /// <summary>
     /// Gets or sets the maximum number of actions to keep in history.
@@ -31,13 +32,15 @@ public class DevToolsOptions<TState> where TState : notnull
 
     /// <summary>
     /// Gets or sets whether action replay is enabled.
-    /// Default is true.
+    /// Default is false for security. Action replay allows re-executing actions,
+    /// which could have unintended side effects in production environments.
     /// </summary>
-    public bool EnableActionReplay { get; set; } = true;
+    public bool EnableActionReplay { get; set; } = false;
 
     /// <summary>
     /// Gets or sets whether state editing from DevTools is enabled.
-    /// Default is false for safety.
+    /// Default is false for security. State editing allows arbitrary state modifications
+    /// from the browser DevTools, which is a serious security risk in production.
     /// </summary>
     public bool EnableStateEditing { get; set; } = false;