Security
- Hardened application against common attack vectors (#10)
- Added request filtering to block vulnerability scanner probes (
.env,.git,wp-*,phpmyadmin, etc.) - Implemented global rate limiting with route-specific configurations (auth: 10/5min, API: 30/min, default: 60/min)
- Added security headers:
X-Frame-Options,HSTS,X-Content-Type-Options - Fixed cookie secure flag for production environments
- Removed GET logout endpoint to prevent CSRF attacks
- Sanitized error messages in onboarding endpoints
- Added request filtering to block vulnerability scanner probes (
Full Changelog: v0.1.3...v0.1.4