T-005: Security hardening - CORS, Rate Limit, CSRF
- CORS: Restrict allowed origins to specific frontend URLs, limit methods and headers - Rate Limit: Add fine-grained endpoint-specific rate limits for sensitive operations - Login: 5 requests/minute - Register: 3 requests/hour - Password change: 3 requests/5 minutes - Payment: 20 requests/minute - Admin: 30 requests/minute - CSRF: Add CSRF protection middleware with double-submit cookie pattern - New app/core/csrf.py module with CSRFMiddleware - Require CSRF tokens on sensitive endpoints (auth, payment, profile) - Skip webhook endpoints for CSRF validation - Fix pydantic-settings import in config.py
This commit is contained in:
TradeMate Dev
@@ -52,3 +52,7 @@ DEBUG=true
|
||||
# URL
|
||||
FRONTEND_URL=http://localhost:3000
|
||||
BACKEND_URL=http://localhost:8000
|
||||
|
||||
# Security (CSRF/CORS) - CSRF protection is enabled by default
|
||||
# Frontend must send X-CSRF-Token header with state-changing requests
|
||||
# The token is provided via csrf_token cookie and X-CSRF-Token response header
|
||||
|
||||
Reference in New Issue
Block a user