cms.c2sgmbh

mirror of https://github.com/complexcaresolutions/cms.c2sgmbh.git synced 2026-03-17 16:14:12 +00:00

History

Martin Porwoll fc94531931 feat: implement security hardening module Security Features: - Central rate-limiter service with Redis support and memory fallback - Predefined limiters: publicApi, auth, email, search, form, strict - Automatic cleanup of stale entries - IP allowlist/blocklist for sensitive endpoints - CIDR and wildcard support - Configurable via SEND_EMAIL_ALLOWED_IPS, BLOCKED_IPS env vars - CSRF protection with Double Submit Cookie pattern - Token endpoint: GET /api/csrf-token - Origin header validation - Data masking service for sensitive data - Automatic redaction of passwords, tokens, API keys - Safe logger factory for consistent logging - Recursive object masking for audit logs Secret Scanning: - Pre-commit hook for local secret detection - GitHub Actions workflow with Gitleaks and CodeQL - Gitleaks configuration file - Dependency vulnerability scanning Updated: - /api/send-email now uses central rate-limiter and IP allowlist - Redis lib exports getRedisClient and isRedisAvailable 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-07 23:04:14 +00:00
..
workflows	feat: implement security hardening module	2025-12-07 23:04:14 +00:00

Martin Porwoll fc94531931 feat: implement security hardening module

Security Features:
- Central rate-limiter service with Redis support and memory fallback
  - Predefined limiters: publicApi, auth, email, search, form, strict
  - Automatic cleanup of stale entries
- IP allowlist/blocklist for sensitive endpoints
  - CIDR and wildcard support
  - Configurable via SEND_EMAIL_ALLOWED_IPS, BLOCKED_IPS env vars
- CSRF protection with Double Submit Cookie pattern
  - Token endpoint: GET /api/csrf-token
  - Origin header validation
- Data masking service for sensitive data
  - Automatic redaction of passwords, tokens, API keys
  - Safe logger factory for consistent logging
  - Recursive object masking for audit logs

Secret Scanning:
- Pre-commit hook for local secret detection
- GitHub Actions workflow with Gitleaks and CodeQL
- Gitleaks configuration file
- Dependency vulnerability scanning

Updated:
- /api/send-email now uses central rate-limiter and IP allowlist
- Redis lib exports getRedisClient and isRedisAvailable

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-12-07 23:04:14 +00:00

workflows

feat: implement security hardening module

2025-12-07 23:04:14 +00:00