LOADING…
0%
Complete changelog

Commit

feat(security): Add security improvements and review

Commit details

Commit notes

Security Review: - Created comprehensive BACKEND_SECURITY_REVIEW.md documenting findings

Security Fixes: - Add constant-time comparison utility (src/utils/crypto.ts) - safeCompare() for timing-safe string comparison - hashToken() for secure token storage - generateSecureToken() for cryptographic random tokens

- Update CSRF middleware to use constant-time comparison - Prevents timing attacks on CSRF token validation

- Add IP validation for Mollie webhooks (defense-in-depth) - Logs warning when webhook from non-Mollie IP - Still processes (API verification is primary check)

Review documented: - P0: Missing webhook signature verification - P1: Timing attack vulnerabilities (now fixed for CSRF) - P2: Virus scanning not implemented - P3: Admin audit logging recommendations

Co-authored-by: armin.naimi <[email redacted]>

Files changed
5
Lines added
+617
Lines removed
−4
This page is a permanent record of commit 1c5f7be3.