Torben Sorensen
186ed484b7
Some checks failed
Deploy to Test Environment / deploy-to-test (push) Failing after 2m40s
23 lines
1.1 KiB
Markdown
23 lines
1.1 KiB
Markdown
# ADR-016: API Security Hardening
|
|
|
|
**Date**: 2025-12-12
|
|
|
|
**Status**: Proposed
|
|
|
|
## Context
|
|
|
|
While authentication (`ADR-011`) is covered, the API lacks formal policies for protection against common web vulnerabilities and abuse. Security measures like rate limiting, secure HTTP headers, and Cross-Origin Resource Sharing (CORS) are not standardized.
|
|
|
|
## Decision
|
|
|
|
We will implement a multi-layered security approach for the API:
|
|
|
|
1. **`helmet`**: Use the `helmet` library to set crucial security headers (e.g., Content-Security-Policy, X-Content-Type-Options).
|
|
2. **Rate Limiting**: Apply rate limiting using a library like `express-rate-limit` on sensitive endpoints (e.g., `/login`, `/register`) to prevent brute-force attacks.
|
|
3. **CORS**: Establish a strict CORS policy to control which domains can access the API.
|
|
|
|
## Consequences
|
|
|
|
- **Positive**: Significantly improves the application's security posture against common web vulnerabilities like XSS, clickjacking, and brute-force attacks.
|
|
- **Negative**: Requires careful configuration of CORS and rate limits to avoid blocking legitimate traffic. Content-Security-Policy can be complex to configure correctly.
|