kyle/vip-coordinator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: add helmet, rate limiting, webhook auth, fix token storage, restrict hard deletes

Browse Source 
- Add helmet for HTTP security headers (CSP, HSTS, X-Frame-Options, etc.)
- Add @nestjs/throttler for rate limiting (100 req/60s per IP)
- Add shared secret validation on Signal webhook endpoint
- Remove JWT token from localStorage, use Auth0 SDK memory cache
  with async getAccessTokenSilently() in API interceptor
- Restrict hard delete (?hard=true) to ADMINISTRATOR role in service layer
- Replace exposed Anthropic API key with placeholder in .env

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
kyle
2026-02-04 18:30:14 +01:00
parent 8e88880838
commit 934464bf8e
18 changed files with 132 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/package.json
View File

@@ -35,11 +35,13 @@
"@nestjs/passport": "^10.0.3",
"@nestjs/platform-express": "^10.3.0",
"@nestjs/schedule": "^4.1.2",
"@nestjs/throttler": "^6.5.0",
"@prisma/client": "^5.8.1",
"@types/pdfkit": "^0.17.4",
"axios": "^1.6.5",
"class-transformer": "^0.5.1",
"class-validator": "^0.14.0",
"helmet": "^8.1.0",
"ics": "^3.8.1",
"ioredis": "^5.3.2",
"jwks-rsa": "^3.1.0",