Add security hardening: helmet, CORS allowlist, body limit, ID validation #8

Open

iswa wants to merge 1 commits from security/fix-footguns into master

Author	SHA1	Message	Date
Christian Hood	481b5a536b	Add security hardening: helmet, CORS allowlist, body limit, ID validation - Install and configure helmet with basic CSP in app.js - Restrict CORS to ALLOWED_ORIGIN env var (default localhost:5173) - Add express.json 1mb body size limit to prevent memory exhaustion - Add parseInt+isNaN validation for all :id route params in bills.js and financing.js (GET/PUT/DELETE/:id and PATCH financing-payments/:id) - Extend bills.routes.test.js and financing.routes.test.js with ID validation tests (non-numeric IDs → HTTP 400) Nightshift-Task: security-footgun Nightshift-Ref: https://github.com/marcus/nightshift Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 02:35:00 -04:00

Author

SHA1

Message

Date

Christian Hood

481b5a536b

Add security hardening: helmet, CORS allowlist, body limit, ID validation

- Install and configure helmet with basic CSP in app.js
- Restrict CORS to ALLOWED_ORIGIN env var (default localhost:5173)
- Add express.json 1mb body size limit to prevent memory exhaustion
- Add parseInt+isNaN validation for all :id route params in bills.js
  and financing.js (GET/PUT/DELETE/:id and PATCH financing-payments/:id)
- Extend bills.routes.test.js and financing.routes.test.js with ID
  validation tests (non-numeric IDs → HTTP 400)

Nightshift-Task: security-footgun
Nightshift-Ref: https://github.com/marcus/nightshift

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-20 02:35:00 -04:00

Add security hardening: helmet, CORS allowlist, body limit, ID validation #8

1 Commits