fix(security): add Helmet headers and rate limiting on auth endpoints

Helmet adds HTTP security headers (HSTS, X-Frame-Options,
X-Content-Type-Options, etc.). CSP is disabled pending deployment-
specific tuning. Rate limiting (10 req / 15 min per IP) is applied
to POST /login and POST / (registration) to mitigate brute force
and credential stuffing attacks.
This commit is contained in:
2026-04-26 20:45:46 +02:00
parent beb8abb2bc
commit ebc7c7751a
2 changed files with 13 additions and 2 deletions
+11 -2
View File
@@ -1,4 +1,5 @@
const express = require('express');
const rateLimit = require('express-rate-limit');
const {
authenticate, createUser, getUser, loginAsUser,
updateUser, updateUserEmail, updateUserPassword, updateUserRole, updateUserUsername
@@ -7,11 +8,19 @@ const auth = require('../../../middlewares/auth');
const userRouter = express.Router();
const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 10,
standardHeaders: true,
legacyHeaders: false,
message: { errors: { 'rate limit': 'too many attempts, please try again later' } }
});
userRouter.get('/', auth.required, getUser);
userRouter.put('/', auth.required, updateUser);
userRouter.post('/', auth.optional, createUser);
userRouter.post('/', authLimiter, auth.optional, createUser);
userRouter.get('/authenticate', auth.optional, authenticate);
userRouter.post('/login', auth.optional, loginAsUser);
userRouter.post('/login', authLimiter, auth.optional, loginAsUser);
//userRouter.post('/register', auth.optional, createUser);
//userRouter.get('/users', auth.required, getAllUsers);
userRouter.put('/update/email', auth.required, updateUserEmail);