harden security: enforce JWT_SECRET, helmet, CSP, stricter rate limits

- Require JWT_SECRET env var (fatal exit if missing) - Add helmet middleware with custom CSP - Cookie Secure flag when NODE_ENV=production - requireAuth re-verifies user.status from DB on every request - class_events DELETE restricted to creator or admin - Rate limit /register (5/hr) and PUT /me/password (5/15min) - Password minimum 6 to 8 chars - crudRoutes truncates strings to 1000 chars - Remove application/octet-stream from allowed upload MIMEs
2026-04-17 23:40:27 +02:00
parent 8f75bc6a10
commit b2de630983
7 changed files with 87 additions and 15 deletions
@@ -15,6 +15,7 @@
    "cookie-parser": "^1.4.7",
    "express": "^5.2.1",
    "express-rate-limit": "^8.3.2",
+    "helmet": "^8.1.0",
    "jsonwebtoken": "^9.0.3",
    "multer": "^2.1.1",
    "otplib": "^13.4.0",