Files
adastra_api/src/createApp.js
T
julien ebc7c7751a fix(security): add Helmet headers and rate limiting on auth endpoints
Helmet adds HTTP security headers (HSTS, X-Frame-Options,
X-Content-Type-Options, etc.). CSP is disabled pending deployment-
specific tuning. Rate limiting (10 req / 15 min per IP) is applied
to POST /login and POST / (registration) to mitigate brute force
and credential stuffing attacks.
2026-04-26 20:45:46 +02:00

44 lines
1.3 KiB
JavaScript

var express = require('express'),
session = require('express-session'),
cors = require('cors'),
helmet = require('helmet'),
errorhandler = require('errorhandler');
const config = require('./config'),
swaggerUi = require('swagger-ui-express'),
swaggerSpec = require('./config/swagger');
function createApp() {
const app = express();
app.use(helmet({ contentSecurityPolicy: false }));
const allowedOrigins = process.env.ALLOWED_ORIGINS
? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
: [];
app.use(cors({
origin: allowedOrigins.length > 0 ? allowedOrigins : false,
credentials: true
}));
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
app.use(require('method-override')());
app.use(express.static(__dirname + '/../public'));
app.use(session({
secret: process.env.SESSION_SECRET || config.secret,
cookie: { maxAge: config.session_lifetime },
resave: false,
saveUninitialized: false
}));
if (process.env.APP_ENV !== 'production') {
app.use(errorhandler());
}
app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerSpec, {
swaggerOptions: { persistAuthorization: true },
}));
return app;
}
module.exports = createApp;