From 67353fe2d1cf472b98bd747d4573be566a58a837 Mon Sep 17 00:00:00 2001
From: Guenter Sandner <www.gms@gmx.at>
Date: Sat, 28 Mar 2026 09:36:54 +0100
Subject: [PATCH 1/2] hardening

- Linux hardening flags (all builds):
  -fstack-protector-strong - Stack canary protection
  -fPIC - Position Independent Code
  -Wl,-z,relro,-z,now - Full RELRO (Read-only GOT)

- Linux Release-only flags (via configurations.Release):

  _FORTIFY_SOURCE=2 - Buffer overflow detection
  -fcf-protection=full - Control Flow Integrity (Intel CET)

- macOS hardening flags (all builds):

  -fstack-protector-strong in OTHER_CFLAGS

- Windows hardening flags (all builds):

  BufferSecurityCheck: "true" (/GS)
  ControlFlowGuard: "Guard" (/guard:cf)
  /DYNAMICBASE - ASLR support
  /NXCOMPAT - DEP/NX bit support

- Windows Release-only flags:

  /sdl - Additional security checks
---
 binding.gyp | 44 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

diff --git a/binding.gyp b/binding.gyp
index 0f7e2d5b..4adf0262 100644
--- a/binding.gyp
+++ b/binding.gyp
@@ -11,6 +11,7 @@
       "xcode_settings": {
         "CLANG_CXX_LIBRARY": "libc++",
         "MACOSX_DEPLOYMENT_TARGET": "10.7",
+        "OTHER_CFLAGS": [ "-fstack-protector-strong" ]
       },
       "include_dirs": [
         "<!@(node -p \"require('node-addon-api').include\")"],
@@ -39,7 +40,28 @@
               "deps/sqlite3.gyp:sqlite3"
             ]
         }
-        ]
+        ],
+        # Linux hardening flags (apply to all builds)
+        ["OS=='linux'", {
+          "cflags+": [
+            "-fstack-protector-strong",
+            "-fPIC"
+          ],
+          "ldflags+": [ "-Wl,-z,relro,-z,now" ]
+        }],
+        # Windows hardening flags (apply to all builds)
+        ["OS=='win'", {
+          "msvs_settings": {
+            "VCCLCompilerTool": {
+              "ExceptionHandling": 1,
+              "BufferSecurityCheck": "true",
+              "ControlFlowGuard": "Guard"
+            },
+            "VCLinkerTool": {
+              "AdditionalOptions": [ "/DYNAMICBASE", "/NXCOMPAT" ]
+            }
+          }
+        }]
       ],
       "sources": [
         "src/backup.cc",
@@ -47,7 +69,25 @@
         "src/node_sqlite3.cc",
         "src/statement.cc"
       ],
-      "defines": [ "NAPI_VERSION=<(napi_build_version)" ]
+      "defines": [ "NAPI_VERSION=<(napi_build_version)" ],
+      # Release-specific hardening flags
+      "configurations": {
+        "Release": {
+          "conditions": [
+            ["OS=='linux'", {
+              "defines+": [ "_FORTIFY_SOURCE=2" ],
+              "cflags+": [ "-fcf-protection=full" ]
+            }],
+            ["OS=='win'", {
+              "msvs_settings": {
+                "VCCLCompilerTool": {
+                  "AdditionalOptions": [ "/sdl" ]
+                }
+              }
+            }]
+          ]
+        }
+      }
     }
   ]
 }

From d76c462ab999779827cc05dcc1518048147e7d15 Mon Sep 17 00:00:00 2001
From: Guenter Sandner <www.gms@gmx.at>
Date: Sat, 28 Mar 2026 09:45:45 +0100
Subject: [PATCH 2/2] remove -fcf-protection from non-x86 builds

The -fcf-protection=full flag is now conditional on target_arch=='x64'
to prevent build failures on ARM64 architectures (Intel CET is
x86-only).
---
 binding.gyp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/binding.gyp b/binding.gyp
index 4adf0262..f32974e4 100644
--- a/binding.gyp
+++ b/binding.gyp
@@ -74,8 +74,12 @@
       "configurations": {
         "Release": {
           "conditions": [
+            # _FORTIFY_SOURCE applies to all Linux architectures
             ["OS=='linux'", {
-              "defines+": [ "_FORTIFY_SOURCE=2" ],
+              "defines+": [ "_FORTIFY_SOURCE=2" ]
+            }],
+            # Control Flow Protection only for x86_64 (Intel CET)
+            ["OS=='linux' and target_arch=='x64'", {
               "cflags+": [ "-fcf-protection=full" ]
             }],
             ["OS=='win'", {