- express-rate-limit: 100/15min global, 5/15min on auth.login + auth.register,
3/hour reserved for password-reset endpoints; trust proxy enabled.
- helmet: enabled with contentSecurityPolicy + crossOriginEmbedderPolicy off
to keep Vite dev and the SPA bundle working.
- CORS: explicit allowlist (https://attente.cosmolan.fr in prod, localhost in
dev), credentials true, restricted methods/headers; same allowlist applied
to socket.io.
- JWT_SECRET: must be set and >= 32 chars; assertAuthEnv() called from the
server bootstrap so the process refuses to start without one. The insecure
"changeme-in-production" fallback in docker-compose.yml is removed.
- qm_auth cookie: maxAge reduced from 30d to 7d, JWT expiry matches.
- WhatsApp sessions: path now driven by WHATSAPP_SESSION_DIR and defaults to
/app/data/whatsapp-sessions; docker-compose.yml mounts a named app_data
volume so credentials survive container restarts.
- scripts/backup-db.sh: timestamped, gzipped mysqldump into /app/data/backups
with rotation (keeps last 7); Dockerfile installs mysql-client and bundles
the script.
- .env.example refreshed with documented placeholders for every required var
(DATABASE_URL, JWT_SECRET, WHATSAPP_SESSION_DIR, MYSQL_*, BACKUP_*).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
