Simon
b2de630983
- Require JWT_SECRET env var (fatal exit if missing) - Add helmet middleware with custom CSP - Cookie Secure flag when NODE_ENV=production - requireAuth re-verifies user.status from DB on every request - class_events DELETE restricted to creator or admin - Rate limit /register (5/hr) and PUT /me/password (5/15min) - Password minimum 6 to 8 chars - crudRoutes truncates strings to 1000 chars - Remove application/octet-stream from allowed upload MIMEs