๐ก๏ธ CORS & Security โ
KitchenAsty includes several security measures out of the box.
๐ CORS โ
Cross-Origin Resource Sharing is configured via the CORS_ORIGINS environment variable:
dotenv
CORS_ORIGINS=http://localhost:5173,http://localhost:5174The server parses this comma-separated list and allows requests from those origins with credentials: true.
In production, set this to your actual domain(s):
dotenv
CORS_ORIGINS=https://admin.yourrestaurant.com,https://order.yourrestaurant.com๐ช Helmet โ
Helmet sets various HTTP security headers:
- ๐
X-Content-Type-Options: nosniff - ๐ผ๏ธ
X-Frame-Options: SAMEORIGIN - ๐
Strict-Transport-Security(in production) - ๐ Content Security Policy headers
- And more
Helmet is enabled by default with standard settings.
๐ฆ Rate Limiting โ
API endpoints are rate-limited to prevent abuse:
| Setting | Value |
|---|---|
| Window | 15 minutes |
| Max requests per IP | 100 |
| Headers | Standard (RateLimit-*) |
| Response on limit | 429 Too Many Requests |
json
{
"success": false,
"error": "Too many requests, please try again later."
}Rate limiting is disabled in the test environment to avoid interfering with automated tests.
๐ Request Logging โ
HTTP request logging uses Morgan in dev format. Logging is disabled in the test environment.
๐ Production Security Tips โ
- ๐ Set a strong, unique
JWT_SECRET(at least 32 characters) - ๐ Use HTTPS in production โ terminate TLS at your reverse proxy (nginx, Cloudflare, etc.)
- ๐ Restrict
CORS_ORIGINSto your actual frontend domains - ๐ฆ Keep dependencies updated with
npm audit - ๐ฆ Consider increasing rate limits for high-traffic locations or adding per-user limits
- ๐งฑ Use a web application firewall (WAF) for additional protection