Implement security hardening (rate limiting, headers, CORS)

## Description
Implement production security measures including rate limiting, security headers, CORS hardening, and audit tooling.

## Requirements

### Rate Limiting
- **API endpoints**: 100 requests/minute per IP
- **Auth endpoints** (/api/auth/*): 10 requests/minute per IP
- Use `@fastify/rate-limit` plugin
- Return 429 Too Many Requests with retry-after header

### Security Headers (Helmet)
- Use `@fastify/helmet` or equivalent
- Headers to set:
  - `Content-Security-Policy` (CSP) — restrict script/style sources
  - `Strict-Transport-Security` (HSTS) — enforce HTTPS
  - `X-Frame-Options: DENY` — prevent clickjacking
  - `X-Content-Type-Options: nosniff` — prevent MIME sniffing
  - `X-XSS-Protection: 0` — disable legacy XSS filter (rely on CSP)
  - `Referrer-Policy: strict-origin-when-cross-origin`
  - `Permissions-Policy` — restrict browser features

### CORS Configuration
- Restrict `Access-Control-Allow-Origin` to the application's domain only
- Allow specific methods: GET, POST, PUT, PATCH, DELETE
- Allow specific headers: Content-Type, Authorization
- No wildcard origins in production

### Input Validation
- All Zod schemas enforce string length limits:
  - Name/title fields: max 255 characters
  - Notes/text fields: max 10,000 characters
  - Email: max 254 characters
- Parameterized queries via Drizzle ORM (SQL injection prevention verified)

### Database File Security
- Database file permissions: `chmod 600` (owner read/write only)
- Database directory owned by Node.js process user, not root
- WAL and SHM files inherit directory permissions

### Dependency Security
- `npm audit` step in CI pipeline
- Dependabot alerts enabled on the repository
- Pin major dependency versions

### Additional
- Remove server version headers (X-Powered-By, Server)
- Request body size limit (1MB default)
- Timeout configuration for long-running requests

## Acceptance Criteria
- [ ] Rate limiting active: 100 req/min API, 10 req/min auth
- [ ] All security headers set correctly (verify with securityheaders.com)
- [ ] CORS restricted to application domain
- [ ] String length limits enforced on all inputs
- [ ] Database file has correct permissions
- [ ] `npm audit` runs in CI with no high/critical vulnerabilities
- [ ] Server version headers removed
- [ ] Request body size limited

## References
- PRD Section 11: Security Considerations (all subsections)
- PRD Section 12: Risks & Mitigations (JWT secret, dependency vulnerabilities)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement security hardening (rate limiting, headers, CORS) #89

Description

Requirements

Rate Limiting

Security Headers (Helmet)

CORS Configuration

Input Validation

Database File Security

Dependency Security

Additional

Acceptance Criteria

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Implement security hardening (rate limiting, headers, CORS) #89

Description

Description

Requirements

Rate Limiting

Security Headers (Helmet)

CORS Configuration

Input Validation

Database File Security

Dependency Security

Additional

Acceptance Criteria

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions