Commit
feat(security): Add security improvements and review
Commit details
Commit notes
Security Review: - Created comprehensive BACKEND_SECURITY_REVIEW.md documenting findings
Security Fixes: - Add constant-time comparison utility (src/utils/crypto.ts) - safeCompare() for timing-safe string comparison - hashToken() for secure token storage - generateSecureToken() for cryptographic random tokens
- Update CSRF middleware to use constant-time comparison - Prevents timing attacks on CSRF token validation
- Add IP validation for Mollie webhooks (defense-in-depth) - Logs warning when webhook from non-Mollie IP - Still processes (API verification is primary check)
Review documented: - P0: Missing webhook signature verification - P1: Timing attack vulnerabilities (now fixed for CSRF) - P2: Virus scanning not implemented - P3: Admin audit logging recommendations
Co-authored-by: armin.naimi <[email redacted]>
- Files changed
- 5
- Lines added
- +617
- Lines removed
- −4