From bb2b43d1c156f141f0d77fff40e5813d26f6ee88 Mon Sep 17 00:00:00 2001 From: adamp Date: Mon, 9 Feb 2026 22:08:05 -0600 Subject: [PATCH] Update CLAUDE.md with helmet and rate limiting details Co-Authored-By: Claude Opus 4.6 --- CLAUDE.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index dbfc320..af77cff 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -31,9 +31,9 @@ No test runner or linter is currently configured. Full-stack monorepo: Express.js API + React 18 SPA (Vite + React Router v7). **Server** (`server/`): -- `index.js` — Express entry point. Mounts all route groups under `/api`, applies auth middleware to non-auth routes. In production, serves the built client as static files with SPA fallback. +- `index.js` — Express entry point. Applies `helmet()` for security headers, a global API rate limiter (100 req/min/IP via `express-rate-limit`), mounts all route groups under `/api`, and applies auth middleware to non-auth routes. In production, serves the built client as static files with SPA fallback. - `db.js` — SQLite via `better-sqlite3` (synchronous). Auto-creates the `data/` directory and tables on first run. Foreign keys are enabled. -- `middleware/auth.js` — Optional HMAC-SHA256 session cookie auth. If `APP_PASSWORD` is not set in `.env`, authentication is disabled entirely (middleware passes through). +- `middleware/auth.js` — Optional HMAC-SHA256 session cookie auth. If `APP_PASSWORD` is not set in `.env`, authentication is disabled entirely (middleware passes through). Login route has a dedicated rate limiter (5 attempts/min/IP). - `utils.js` — Shared helpers (`parseId`, `isValidDate`, `parseLimit`) used across routes. - `routes/` — CRUD for products, customers, orders, plus dashboard summary and reports endpoints.