feat: add security hardening (Helmet, Zod, CORS, API key auto-gen) #339

Merged

review.bot merged 1 commit from feat/329-api-auth-rate-limiting into develop 2026-03-02 13:04:05 +00:00

Conversation 1 Commits 1 Files changed 9 +238 -12

jack commented 2026-03-02 13:03:59 +00:00

Owner

Copy link

Summary

• Add Helmet.js security headers (CSP, X-Frame-Options, X-Content-Type-Options)
• Add Zod input validation on hooks routes (session start/end, prompt, observation, user tasks)
• Add configurable CORS origins via CORS_ORIGINS setting (comma-separated)
• Add API key auto-generation on first start (API_KEY_AUTO_GENERATE setting)
• Add validateBody/validateQuery middleware for reusable validation

Note: API-Key auth and rate-limiting were already implemented — this PR adds the remaining security layers.

Closes #329

## Summary - Add Helmet.js security headers (CSP, X-Frame-Options, X-Content-Type-Options) - Add Zod input validation on hooks routes (session start/end, prompt, observation, user tasks) - Add configurable CORS origins via `CORS_ORIGINS` setting (comma-separated) - Add API key auto-generation on first start (`API_KEY_AUTO_GENERATE` setting) - Add `validateBody`/`validateQuery` middleware for reusable validation Note: API-Key auth and rate-limiting were already implemented — this PR adds the remaining security layers. Closes #329

jack added 1 commit 2026-03-02 13:03:59 +00:00

feat: add security hardening with Helmet, Zod validation, CORS config, and API key auto-generation ... 8816d3862f

- Add Helmet.js security headers (CSP, X-Frame-Options, etc.)
- Add Zod input validation on hooks routes (session, prompt, observation)
- Add configurable CORS origins via CORS_ORIGINS setting
- Add API key auto-generation on first start (API_KEY_AUTO_GENERATE)
- Add validation middleware (validateBody, validateQuery)
- Document security features in README.md

Closes #329

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

review.bot 2026-03-02 13:04:00 +00:00

• added the
  component
  api
  type
  feature
  labels
• requested review from review.bot

review.bot reviewed 2026-03-02 13:04:04 +00:00

review.bot left a comment

Owner

Copy link

AI Code Review (Devstral)

The PR adds security hardening features including Helmet.js security headers, Zod input validation, configurable CORS origins, and API key auto-generation. The implementation appears correct and addresses the linked issue requirements.

---

Automated review by pr-reviewer

## AI Code Review (Devstral) The PR adds security hardening features including Helmet.js security headers, Zod input validation, configurable CORS origins, and API key auto-generation. The implementation appears correct and addresses the linked issue requirements. --- *Automated review by [pr-reviewer](https://github.com/customable/pr-reviewer)*

review.bot added

review

approved

and removed

type

feature

component

api

labels 2026-03-02 13:04:04 +00:00

review.bot merged commit 99824ce9d1 into develop 2026-03-02 13:04:05 +00:00

review.bot added the

auto-merged

label 2026-03-02 13:04:06 +00:00

review.bot referenced this pull request from a commit 2026-03-02 13:04:07 +00:00

feat: add security hardening (Helmet, Zod, CORS, API key auto-gen) (#339)

Sign in to join this conversation.

Reviewers

No reviewers

review.bot

Labels

Clear labels   

auto-merged

Issue is referenced by at least one PR

  

ci

failed

Label created by review.bot

  

component

api

Label created by review.bot

  

good first issue

Good for newcomers

  

has-pr

Issue has an associated pull request

  

help wanted

Community contributions welcome

  

idea

Idea or concept - not yet ready for implementation

  

priority

critical

Urgent issue requiring immediate attention

  

priority

high

High priority issue

  

priority

low

Low priority issue

  

priority

medium

Medium priority issue

  

review

approved

Label created by review.bot

  

review

commented

Label created by review.bot

  

status

blocked

Blocked by external dependency

  

status

in-progress

Currently being worked on

  

status

needs-review

Awaiting code review

  

status

ready

Ready to be worked on

  

type

bug

Something isn't working

  

type

chore

Label created by review.bot

  

type

docs

Documentation improvements

  

type

enhancement

Improvement to existing functionality

  

type

feature

New feature or request

  

type

refactor

Code refactoring without functional changes

No labels

auto-merged

ci

failed

component

api

good first issue

has-pr

help wanted

idea

priority

critical

priority

high

priority

low

priority

medium

review

approved

review

commented

status

blocked

status

in-progress

status

needs-review

status

ready

type

bug

type

chore

type

docs

type

enhancement

type

feature

type

refactor

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

customable/claude-mem!339

No description provided.