adamp
a4ef21d099
Add helmet middleware for security headers (CSP, X-Content-Type-Options, X-Frame-Options, HSTS, Referrer-Policy) and disable X-Powered-By. Add a global API rate limiter (100 req/min/IP) using express-rate-limit. Replace the hand-rolled in-memory login rate limiter (~25 lines) with a dedicated express-rate-limit instance (5 attempts/min/IP) on the login route. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>