From ebc7c7751ab9bdd88489005ae286b246a2bfa872 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Sun, 26 Apr 2026 20:45:46 +0200 Subject: [PATCH] fix(security): add Helmet headers and rate limiting on auth endpoints Helmet adds HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options, etc.). CSP is disabled pending deployment- specific tuning. Rate limiting (10 req / 15 min per IP) is applied to POST /login and POST / (registration) to mitigate brute force and credential stuffing attacks. --- src/createApp.js | 2 ++ src/routes/api/cms/users.routes.js | 13 +++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/createApp.js b/src/createApp.js index 8a29655..22c320c 100644 --- a/src/createApp.js +++ b/src/createApp.js @@ -1,6 +1,7 @@ var express = require('express'), session = require('express-session'), cors = require('cors'), + helmet = require('helmet'), errorhandler = require('errorhandler'); const config = require('./config'), @@ -9,6 +10,7 @@ const config = require('./config'), function createApp() { const app = express(); + app.use(helmet({ contentSecurityPolicy: false })); const allowedOrigins = process.env.ALLOWED_ORIGINS ? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim()) : []; diff --git a/src/routes/api/cms/users.routes.js b/src/routes/api/cms/users.routes.js index 531cfa9..813d1b1 100644 --- a/src/routes/api/cms/users.routes.js +++ b/src/routes/api/cms/users.routes.js @@ -1,4 +1,5 @@ const express = require('express'); +const rateLimit = require('express-rate-limit'); const { authenticate, createUser, getUser, loginAsUser, updateUser, updateUserEmail, updateUserPassword, updateUserRole, updateUserUsername @@ -7,11 +8,19 @@ const auth = require('../../../middlewares/auth'); const userRouter = express.Router(); +const authLimiter = rateLimit({ + windowMs: 15 * 60 * 1000, + max: 10, + standardHeaders: true, + legacyHeaders: false, + message: { errors: { 'rate limit': 'too many attempts, please try again later' } } +}); + userRouter.get('/', auth.required, getUser); userRouter.put('/', auth.required, updateUser); -userRouter.post('/', auth.optional, createUser); +userRouter.post('/', authLimiter, auth.optional, createUser); userRouter.get('/authenticate', auth.optional, authenticate); -userRouter.post('/login', auth.optional, loginAsUser); +userRouter.post('/login', authLimiter, auth.optional, loginAsUser); //userRouter.post('/register', auth.optional, createUser); //userRouter.get('/users', auth.required, getAllUsers); userRouter.put('/update/email', auth.required, updateUserEmail);