security: complete Phase 0 Quick Wins implementation
Phase 0 Complete (QW-1 through QW-8):
✅ Enhanced input validation with HTML sanitization
✅ Form rate limiting (5 req/min on all submission endpoints)
✅ Modern CSRF protection (SameSite cookies + double-submit pattern)
✅ Security audit logging (CSRF violations captured)
✅ Applied to all public form endpoints:
- /api/cases/submit (case studies)
- /api/media/inquiries (media inquiries)
- /api/newsletter/subscribe (newsletter)
New Middleware:
- csrf-protection.middleware.js (replaces deprecated csurf package)
- Enhanced input-validation.middleware.js applied to all forms
Security Features Active:
- Security headers (CSP, HSTS, X-Frame-Options, etc.)
- Rate limiting (100 req/15min public, 5 req/min forms)
- CSRF protection (double-submit cookie pattern)
- HTML sanitization (XSS prevention)
- Response sanitization (hide stack traces)
- Security event logging
Implements: inst_041, inst_042, inst_043, inst_044, inst_045, inst_046
Refs: docs/plans/security-implementation-roadmap.md Phase 0
059dd43b72