security: add helmet, rate limiting, webhook auth, fix token storage, restrict hard deletes

- Add helmet for HTTP security headers (CSP, HSTS, X-Frame-Options, etc.) - Add @nestjs/throttler for rate limiting (100 req/60s per IP) - Add shared secret validation on Signal webhook endpoint - Remove JWT token from localStorage, use Auth0 SDK memory cache with async getAccessTokenSilently() in API interceptor - Restrict hard delete (?hard=true) to ADMINISTRATOR role in service layer - Replace exposed Anthropic API key with placeholder in .env Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 18:30:14 +01:00
parent 8e88880838
commit 934464bf8e
18 changed files with 132 additions and 55 deletions
--- a/backend/.env
+++ b/backend/.env
@@ -37,4 +37,4 @@ AVIATIONSTACK_API_KEY="your-aviationstack-api-key"
 # ============================================
 # Get API key from: https://console.anthropic.com/
 # Cost: ~$3 per million tokens
-ANTHROPIC_API_KEY="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"
+ANTHROPIC_API_KEY="your-anthropic-api-key"