queue-med

History

Hermes 81c6bccf8a security: Phase 1 hardening - rate limit, helmet, CORS, JWT, session persistence - express-rate-limit: 100/15min global, 5/15min on auth.login + auth.register, 3/hour reserved for password-reset endpoints; trust proxy enabled. - helmet: enabled with contentSecurityPolicy + crossOriginEmbedderPolicy off to keep Vite dev and the SPA bundle working. - CORS: explicit allowlist (https://attente.cosmolan.fr in prod, localhost in dev), credentials true, restricted methods/headers; same allowlist applied to socket.io. - JWT_SECRET: must be set and >= 32 chars; assertAuthEnv() called from the server bootstrap so the process refuses to start without one. The insecure "changeme-in-production" fallback in docker-compose.yml is removed. - qm_auth cookie: maxAge reduced from 30d to 7d, JWT expiry matches. - WhatsApp sessions: path now driven by WHATSAPP_SESSION_DIR and defaults to /app/data/whatsapp-sessions; docker-compose.yml mounts a named app_data volume so credentials survive container restarts. - scripts/backup-db.sh: timestamped, gzipped mysqldump into /app/data/backups with rotation (keeps last 7); Dockerfile installs mysql-client and bundles the script. - .env.example refreshed with documented placeholders for every required var (DATABASE_URL, JWT_SECRET, WHATSAPP_SESSION_DIR, MYSQL_, BACKUP_). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-25 13:06:51 +00:00
..
backup-db.sh	security: Phase 1 hardening - rate limit, helmet, CORS, JWT, session persistence	2026-04-25 13:06:51 +00:00

Hermes 81c6bccf8a security: Phase 1 hardening - rate limit, helmet, CORS, JWT, session persistence

- express-rate-limit: 100/15min global, 5/15min on auth.login + auth.register,
  3/hour reserved for password-reset endpoints; trust proxy enabled.
- helmet: enabled with contentSecurityPolicy + crossOriginEmbedderPolicy off
  to keep Vite dev and the SPA bundle working.
- CORS: explicit allowlist (https://attente.cosmolan.fr in prod, localhost in
  dev), credentials true, restricted methods/headers; same allowlist applied
  to socket.io.
- JWT_SECRET: must be set and >= 32 chars; assertAuthEnv() called from the
  server bootstrap so the process refuses to start without one. The insecure
  "changeme-in-production" fallback in docker-compose.yml is removed.
- qm_auth cookie: maxAge reduced from 30d to 7d, JWT expiry matches.
- WhatsApp sessions: path now driven by WHATSAPP_SESSION_DIR and defaults to
  /app/data/whatsapp-sessions; docker-compose.yml mounts a named app_data
  volume so credentials survive container restarts.
- scripts/backup-db.sh: timestamped, gzipped mysqldump into /app/data/backups
  with rotation (keeps last 7); Dockerfile installs mysql-client and bundles
  the script.
- .env.example refreshed with documented placeholders for every required var
  (DATABASE_URL, JWT_SECRET, WHATSAPP_SESSION_DIR, MYSQL_*, BACKUP_*).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-25 13:06:51 +00:00

backup-db.sh

security: Phase 1 hardening - rate limit, helmet, CORS, JWT, session persistence

2026-04-25 13:06:51 +00:00