Harden security across frontend and backend

1. AdfRenderer: validate href starts with https?:// before rendering links 2. Logout route: add requireAuth middleware 3. Jira API params: validate sprintId, boardId, issueIdOrKey are alphanumeric 4. CSP header: add Content-Security-Policy with restrictive defaults 5. OAuth callback: align frontendUrl fallback with index.js 6. Rate limiting: express-rate-limit on API routes + Socket.IO event throttling 7. Session KV keys: prefix with cloudId for tenant isolation defense-in-depth 8. saveScopedEstimate: use withSessionCas for atomic read-update-delete Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 16:05:48 +01:00 · 2026-02-28 16:05:48 +01:00 · 03ba19042d
commit 03ba19042d
parent 3ab584e2ab
8 changed files with 127 additions and 47 deletions
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@ -13,6 +13,7 @@
        "cors": "^2.8.5",
        "dotenv": "^16.4.5",
        "express": "^4.21.1",
+        "express-rate-limit": "^8.2.1",
        "jsonwebtoken": "^9.0.3",
        "nats": "^2.28.2",
        "socket.io": "^4.8.1"
@ -555,6 +556,24 @@
        "url": "https://opencollective.com/express"
      }
    },
+    "node_modules/express-rate-limit": {
+      "version": "8.2.1",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.2.1.tgz",
+      "integrity": "sha512-PCZEIEIxqwhzw4KF0n7QF4QqruVTcF73O5kFKUnGOyjbCCgizBBiFaYpd/fnBLUMPw/BWw9OsiN7GgrNYr7j6g==",
+      "license": "MIT",
+      "dependencies": {
+        "ip-address": "10.0.1"
+      },
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/express-rate-limit"
+      },
+      "peerDependencies": {
+        "express": ">= 4.11"
+      }
+    },
    "node_modules/express/node_modules/debug": {
      "version": "2.6.9",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
@ -799,6 +818,15 @@
      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
      "license": "ISC"
    },
+    "node_modules/ip-address": {
+      "version": "10.0.1",
+      "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.0.1.tgz",
+      "integrity": "sha512-NWv9YLW4PoW2B7xtzaS3NCot75m6nK7Icdv0o3lfMceJVRfSoQwqD4wEH5rLwoKJwUiZ/rfpiVBhnaF0FK4HoA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 12"
+      }
+    },
    "node_modules/ipaddr.js": {
      "version": "1.9.1",
      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",