torbo/flyer-crawler.projectium.com
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b59d2a9533fee30e0843cf00a4d020278cd407a1
flyer-crawler.projectium.com/docs/adr/0016-api-security-hardening.md
Torben Sorensen 186ed484b7
Some checks failed
Deploy to Test Environment / deploy-to-test (push) Failing after 2m40s
Details
last test fixes for upcoming V0.1 + pretty
2025-12-23 17:20:51 -08:00

1.1 KiB
Raw Blame History

ADR-016: API Security Hardening

Date: 2025-12-12

Status: Proposed

Context

While authentication (ADR-011) is covered, the API lacks formal policies for protection against common web vulnerabilities and abuse. Security measures like rate limiting, secure HTTP headers, and Cross-Origin Resource Sharing (CORS) are not standardized.

Decision

We will implement a multi-layered security approach for the API:

  1. helmet: Use the helmet library to set crucial security headers (e.g., Content-Security-Policy, X-Content-Type-Options).
  2. Rate Limiting: Apply rate limiting using a library like express-rate-limit on sensitive endpoints (e.g., /login, /register) to prevent brute-force attacks.
  3. CORS: Establish a strict CORS policy to control which domains can access the API.

Consequences

  • Positive: Significantly improves the application's security posture against common web vulnerabilities like XSS, clickjacking, and brute-force attacks.
  • Negative: Requires careful configuration of CORS and rate limits to avoid blocking legitimate traffic. Content-Security-Policy can be complex to configure correctly.
Reference in New Issue View Git Blame Copy Permalink