fix(api): security hardening — helmet + auth rate limiting (#641)

Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>
2026-03-01 22:43:10 +00:00
parent e7da4ca25e
commit 6eb91c9eba
4 changed files with 20 additions and 1 deletions
--- a/apps/api/src/auth/auth.controller.ts
+++ b/apps/api/src/auth/auth.controller.ts
@@ -106,7 +106,7 @@ export class AuthController {
  // @SkipCsrf avoids double-protection conflicts.
  // See: https://www.better-auth.com/docs/reference/security
  @SkipCsrf()
-  @Throttle({ strict: { limit: 10, ttl: 60000 } })
+  @Throttle({ default: { ttl: 60_000, limit: 5 } })
  async handleAuth(@Req() req: ExpressRequest, @Res() res: ExpressResponse): Promise<void> {
    // Extract client IP for logging
    const clientIp = this.getClientIp(req);
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -1,6 +1,7 @@
 import { NestFactory } from "@nestjs/core";
 import { RequestMethod, ValidationPipe } from "@nestjs/common";
 import cookieParser from "cookie-parser";
+import helmet from "helmet";
 import { AppModule } from "./app.module";
 import { getTrustedOrigins } from "./auth/auth.config";
 import { GlobalExceptionFilter } from "./filters/global-exception.filter";
@@ -33,6 +34,14 @@ async function bootstrap() {
  // Enable cookie parser for session handling
  app.use(cookieParser());

+  // Enable helmet security headers
+  app.use(
+    helmet({
+      contentSecurityPolicy: false, // Let Next.js handle CSP
+      crossOriginEmbedderPolicy: false,
+    })
+  );
+
  // Enable global validation pipe with transformation
  app.useGlobalPipes(
    new ValidationPipe({