Private
Public Access
1
0

Add CSP/HSTS headers, attachment extension whitelist, and upload rate limiting

- Add Content-Security-Policy and Strict-Transport-Security headers
- Whitelist allowed file extensions on attachment uploads
- Add rate limiting to password change (5/5min) and file uploads (20/60s)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Catherine Renelle
2026-03-07 19:25:02 -05:00
parent d418c367cb
commit 0852d5a804
6 changed files with 40 additions and 5 deletions
+6 -1
View File
@@ -3,6 +3,7 @@ import type { RequestHandler } from './$types.js';
import { requireAuth } from '$lib/server/guards.js';
import { hashPassword, verifyPassword } from '$lib/server/auth.js';
import { withBypassRLS } from '$lib/server/rls.js';
import { passwordChangeLimiter } from '$lib/server/ratelimit.js';
import { z } from 'zod';
const profileSchema = z.object({
@@ -16,13 +17,17 @@ const passwordSchema = z.object({
});
// Update profile
export const PATCH: RequestHandler = async ({ request, locals }) => {
export const PATCH: RequestHandler = async ({ request, locals, getClientAddress }) => {
requireAuth(locals.user);
const body = await request.json();
// Password change
if (body.currentPassword !== undefined) {
const limit = passwordChangeLimiter(getClientAddress());
if (!limit.ok) {
return json({ error: 'Too many attempts', retryAfter: limit.retryAfter }, { status: 429 });
}
const result = passwordSchema.safeParse(body);
if (!result.success) {
return json({ error: result.error.issues[0].message }, { status: 400 });