Skip to content

Rate-limit CSRF token and static file routes #242

Description

@coder13

Follow-up slice of #227.

Protect the remaining file-serving handlers identified by CodeQL in server/index.js.

Scope:

  • apply the established request limit to the CSRF-token endpoint and client static/fallback routes;
  • preserve normal browser, API, and health-check behavior;
  • add focused regression coverage for the standard 429 response;
  • resolve alerts through code, without suppression or query changes;
  • do not add, inspect, store, or search email data.

Acceptance criteria:

  • CodeQL closes the two remaining file-system route alerts;
  • normal static and CSRF requests work within the configured window;
  • server tests and CI pass.

Production rollout verification remains part of #176.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions