iswa/budget-app
1
0
Fork 0
Code Issues Pull Requests 7 Actions Packages Projects Releases Wiki Activity

Add security hardening: helmet, CORS allowlist, body limit, ID validation #8

Open
iswa wants to merge 1 commits from security/fix-footguns into master
pull from: security/fix-footguns
merge into: iswa:master
Conversation 0 Commits 1 Files Changed 8 +119 -9
iswa commented 2026-03-20 08:26:38 -07:00
Owner
Copy Link
  • Install and configure helmet with basic CSP in app.js
  • Restrict CORS to ALLOWED_ORIGIN env var (default localhost:5173)
  • Add express.json 1mb body size limit to prevent memory exhaustion
  • Add parseInt+isNaN validation for all :id route params in bills.js
    and financing.js (GET/PUT/DELETE/:id and PATCH financing-payments/:id)
  • Extend bills.routes.test.js and financing.routes.test.js with ID
    validation tests (non-numeric IDs → HTTP 400)

Nightshift-Task: security-footgun
Nightshift-Ref: https://github.com/marcus/nightshift

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

- Install and configure helmet with basic CSP in app.js - Restrict CORS to ALLOWED_ORIGIN env var (default localhost:5173) - Add express.json 1mb body size limit to prevent memory exhaustion - Add parseInt+isNaN validation for all :id route params in bills.js and financing.js (GET/PUT/DELETE/:id and PATCH financing-payments/:id) - Extend bills.routes.test.js and financing.routes.test.js with ID validation tests (non-numeric IDs → HTTP 400) Nightshift-Task: security-footgun Nightshift-Ref: https://github.com/marcus/nightshift Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
iswa added 1 commit 2026-03-20 08:26:39 -07:00
Add security hardening: helmet, CORS allowlist, body limit, ID validation 481b5a536b 
- Install and configure helmet with basic CSP in app.js
- Restrict CORS to ALLOWED_ORIGIN env var (default localhost:5173)
- Add express.json 1mb body size limit to prevent memory exhaustion
- Add parseInt+isNaN validation for all :id route params in bills.js
  and financing.js (GET/PUT/DELETE/:id and PATCH financing-payments/:id)
- Extend bills.routes.test.js and financing.routes.test.js with ID
  validation tests (non-numeric IDs → HTTP 400)

Nightshift-Task: security-footgun
Nightshift-Ref: https://github.com/marcus/nightshift

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This pull request has changes conflicting with the target branch.
  • CLAUDE.md
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin security/fix-footguns:security/fix-footguns
git checkout security/fix-footguns
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
iswa
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: iswa/budget-app#8
Delete Branch "security/fix-footguns"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?