fix(security): add Helmet headers and rate limiting on auth endpoints

Helmet adds HTTP security headers (HSTS, X-Frame-Options,
X-Content-Type-Options, etc.). CSP is disabled pending deployment-
specific tuning. Rate limiting (10 req / 15 min per IP) is applied
to POST /login and POST / (registration) to mitigate brute force
and credential stuffing attacks.
This commit is contained in:
2026-04-26 20:45:46 +02:00
parent beb8abb2bc
commit ebc7c7751a
2 changed files with 13 additions and 2 deletions
+2
View File
@@ -1,6 +1,7 @@
var express = require('express'),
session = require('express-session'),
cors = require('cors'),
helmet = require('helmet'),
errorhandler = require('errorhandler');
const config = require('./config'),
@@ -9,6 +10,7 @@ const config = require('./config'),
function createApp() {
const app = express();
app.use(helmet({ contentSecurityPolicy: false }));
const allowedOrigins = process.env.ALLOWED_ORIGINS
? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
: [];