Security

Security at the API edge is built on defense in depth — no single control is trusted to stop every attack. The layers that protect a request, in the order they apply:

1. CDN / load balancer TLS termination (handled outside the backend)
2. CORS — cors.Config in cmd/server/main.go
3. SecurityHeaders — X-Content-Type-Options, X-Frame-Options, Referrer-Policy, HSTS in production
4. IPBlocker.BlockMiddleware — rejects any IP on the block list
5. IPBlocker.SuspiciousActivityMiddleware — pattern-match SQL injection / path traversal / excessively long requests
6. RateLimiter — per-IP per-route counters in Redis
7. JWTAuth / AdminAuth — bearer token validation; admin role check
8. Handler-level validation — DTO parsing, business rules, ownership checks

Beyond per-request defense:

• Bcrypt for password hashing (golang.org/x/crypto/bcrypt)
• JWT with HMAC-SHA256, server-side JWT_SECRET
• WebAuthn / Passkeys as the primary passwordless option
• AES-GCM encryption at rest for stored API keys, keyed by ENCRYPTION_KEY
• Device fingerprint registration limits — 3 accounts per device per 30 days
• OTP for email verification, password reset, and email change
• GDPR delete path with full account purge

Explore

• Rate Limiting — implementation of the limiter, IP blocker, suspicious-activity heuristics
• Device Fingerprint — per-device registration ceiling
• Threat Model — categorised threats and their mitigations

For the public-facing contract of rate limits (what 429 means for a client), see API → Rate Limiting. For the incident playbook, see Operations → Runbook.