fix(security): add Helmet headers and rate limiting on auth endpoints
Helmet adds HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options, etc.). CSP is disabled pending deployment- specific tuning. Rate limiting (10 req / 15 min per IP) is applied to POST /login and POST / (registration) to mitigate brute force and credential stuffing attacks.
This commit is contained in:
@@ -1,4 +1,5 @@
|
||||
const express = require('express');
|
||||
const rateLimit = require('express-rate-limit');
|
||||
const {
|
||||
authenticate, createUser, getUser, loginAsUser,
|
||||
updateUser, updateUserEmail, updateUserPassword, updateUserRole, updateUserUsername
|
||||
@@ -7,11 +8,19 @@ const auth = require('../../../middlewares/auth');
|
||||
|
||||
const userRouter = express.Router();
|
||||
|
||||
const authLimiter = rateLimit({
|
||||
windowMs: 15 * 60 * 1000,
|
||||
max: 10,
|
||||
standardHeaders: true,
|
||||
legacyHeaders: false,
|
||||
message: { errors: { 'rate limit': 'too many attempts, please try again later' } }
|
||||
});
|
||||
|
||||
userRouter.get('/', auth.required, getUser);
|
||||
userRouter.put('/', auth.required, updateUser);
|
||||
userRouter.post('/', auth.optional, createUser);
|
||||
userRouter.post('/', authLimiter, auth.optional, createUser);
|
||||
userRouter.get('/authenticate', auth.optional, authenticate);
|
||||
userRouter.post('/login', auth.optional, loginAsUser);
|
||||
userRouter.post('/login', authLimiter, auth.optional, loginAsUser);
|
||||
//userRouter.post('/register', auth.optional, createUser);
|
||||
//userRouter.get('/users', auth.required, getAllUsers);
|
||||
userRouter.put('/update/email', auth.required, updateUserEmail);
|
||||
|
||||
Reference in New Issue
Block a user