harden security: enforce JWT_SECRET, helmet, CSP, stricter rate limits

- Require JWT_SECRET env var (fatal exit if missing) - Add helmet middleware with custom CSP - Cookie Secure flag when NODE_ENV=production - requireAuth re-verifies user.status from DB on every request - class_events DELETE restricted to creator or admin - Rate limit /register (5/hr) and PUT /me/password (5/15min) - Password minimum 6 to 8 chars - crudRoutes truncates strings to 1000 chars - Remove application/octet-stream from allowed upload MIMEs
2026-04-17 23:40:27 +02:00
parent 8f75bc6a10
commit b2de630983
7 changed files with 87 additions and 15 deletions
@@ -43,7 +43,7 @@ const ALLOWED_MIME = new Set([
  'image/jpeg','image/png','image/gif','image/webp','image/bmp','image/tiff',
  'application/zip','application/x-zip-compressed',
  'application/vnd.rar','application/x-rar-compressed',
-  'application/x-7z-compressed','text/csv','application/octet-stream',
+  'application/x-7z-compressed','text/csv',
 ]);
 const EXT_MIME = {
  pdf:'application/pdf', doc:'application/msword',