fix(security): add Helmet headers and rate limiting on auth endpoints
Helmet adds HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options, etc.). CSP is disabled pending deployment- specific tuning. Rate limiting (10 req / 15 min per IP) is applied to POST /login and POST / (registration) to mitigate brute force and credential stuffing attacks.
This commit is contained in:
@@ -1,6 +1,7 @@
|
||||
var express = require('express'),
|
||||
session = require('express-session'),
|
||||
cors = require('cors'),
|
||||
helmet = require('helmet'),
|
||||
errorhandler = require('errorhandler');
|
||||
|
||||
const config = require('./config'),
|
||||
@@ -9,6 +10,7 @@ const config = require('./config'),
|
||||
|
||||
function createApp() {
|
||||
const app = express();
|
||||
app.use(helmet({ contentSecurityPolicy: false }));
|
||||
const allowedOrigins = process.env.ALLOWED_ORIGINS
|
||||
? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
|
||||
: [];
|
||||
|
||||
Reference in New Issue
Block a user