From f80008170c8bcfa541f22c42c0ca2b5f0d126279 Mon Sep 17 00:00:00 2001 From: unknown Date: Sun, 30 Nov 2025 14:58:56 +0100 Subject: [PATCH 1/2] feat:add_security: adding size limit to json requests (DoS) --- src/main.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/main.ts b/src/main.ts index 5e9cdbe..223b3c8 100644 --- a/src/main.ts +++ b/src/main.ts @@ -52,6 +52,9 @@ const main = async () => { // Set up the Express app const app = express(); + // Adding size limit to json request (DoS); 10kb seems to be standard + app.use(express.json({ limit: "10kb" })); + // Adding helmet app.use(helmet.contentSecurityPolicy({ directives: { From 9b3e6d32ce1eade6c58678087a8d5ec27db1dac8 Mon Sep 17 00:00:00 2001 From: unknown Date: Sun, 30 Nov 2025 15:15:42 +0100 Subject: [PATCH 2/2] feat:add_security: configuring cookie sameSite attrb to lax --- src/handlers/authentication.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/src/handlers/authentication.ts b/src/handlers/authentication.ts index e137968..1ec3b1a 100644 --- a/src/handlers/authentication.ts +++ b/src/handlers/authentication.ts @@ -69,6 +69,7 @@ export const usePassport = function(app: any, prisma: PrismaClient): void { cookie: { maxAge: 1000 * 60 * 60 * 24 * 7, // ms secure: (NODE_ENV === 'production'), // Secure HTTPS cookies only in production + sameSite: "lax", // Bound the cookie to be sent only from self frontend (reduce exposurse to CSRF) }, name: 'nl.codam.coalitions.session', proxy: (NODE_ENV === 'production'), // Trust the X-Forwarded-Proto header