john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/src/routes
History
TheFlow 059dd43b72 security: complete Phase 0 Quick Wins implementation 
Phase 0 Complete (QW-1 through QW-8):
 Enhanced input validation with HTML sanitization
 Form rate limiting (5 req/min on all submission endpoints)
 Modern CSRF protection (SameSite cookies + double-submit pattern)
 Security audit logging (CSRF violations captured)
 Applied to all public form endpoints:
   - /api/cases/submit (case studies)
   - /api/media/inquiries (media inquiries)
   - /api/newsletter/subscribe (newsletter)

New Middleware:
- csrf-protection.middleware.js (replaces deprecated csurf package)
- Enhanced input-validation.middleware.js applied to all forms

Security Features Active:
- Security headers (CSP, HSTS, X-Frame-Options, etc.)
- Rate limiting (100 req/15min public, 5 req/min forms)
- CSRF protection (double-submit cookie pattern)
- HTML sanitization (XSS prevention)
- Response sanitization (hide stack traces)
- Security event logging

Implements: inst_041, inst_042, inst_043, inst_044, inst_045, inst_046
Refs: docs/plans/security-implementation-roadmap.md Phase 0
2025-10-14 15:32:54 +13:00
..
admin.routes.js feat: add API routes, controllers, and migration tools 2025-10-07 00:36:40 +13:00
audit.routes.js feat: enhance framework services and format architectural documentation 2025-10-11 00:50:47 +13:00
auth.routes.js security: comprehensive security audit and hardening 2025-10-10 05:34:40 +13:00
blog.routes.js feat: comprehensive accessibility improvements (WCAG 2.1 AA) 2025-10-12 07:08:40 +13:00
cases.routes.js security: complete Phase 0 Quick Wins implementation 2025-10-14 15:32:54 +13:00
demo.routes.js feat: comprehensive accessibility improvements (WCAG 2.1 AA) 2025-10-12 07:08:40 +13:00
documents.routes.js feat: implement documentation reorganization with archives 2025-10-11 01:26:14 +13:00
governance.routes.js feat(infra): semantic versioning and systemd service implementation 2025-10-09 09:16:22 +13:00
index.js feat: newsletter modal and deployment script enhancements 2025-10-14 13:11:46 +13:00
koha.routes.js security: complete Koha authentication and security hardening 2025-10-09 21:10:29 +13:00
media.routes.js security: complete Phase 0 Quick Wins implementation 2025-10-14 15:32:54 +13:00
newsletter.routes.js security: complete Phase 0 Quick Wins implementation 2025-10-14 15:32:54 +13:00
projects.routes.js feat: implement Rule Manager and Project Manager admin systems 2025-10-11 17:16:51 +13:00
rules.routes.js feat: implement Rule Manager and Project Manager admin systems 2025-10-11 17:16:51 +13:00