feat(api): add helmet security headers and rate limiting

- Add helmet middleware for secure HTTP response headers - Add express-rate-limit with three limiters: - authLimiter: per-IP, 20 req/15min on /api/auth/* - gameLimiter: per-user, 150 req/15min (not yet wired) - lobbyLimiter: per-user, 20 req/15min (not yet wired) - Set trust proxy for correct client IP behind Caddy - Add tests for all three limiters and helmet headers
2026-04-23 11:13:11 +02:00 · 2026-04-23 11:13:11 +02:00 · 9893ead689
commit 9893ead689
parent 1dfe391233
6 changed files with 300 additions and 1 deletions
--- a/apps/api/package.json
+++ b/apps/api/package.json
@ -15,6 +15,8 @@
    "better-auth": "^1.6.2",
    "cors": "^2.8.6",
    "express": "^5.2.1",
+    "express-rate-limit": "^8.4.0",
+    "helmet": "^8.1.0",
    "ws": "^8.20.0"
  },
  "devDependencies": {