Authentication Security
CSRF Protection
Every OAuth login flow generates a cryptographically random state parameter that is validated on the callback. This prevents cross-site request forgery attacks on the OAuth flow.Secure Token Handling
Access tokens are never passed in URLs. This prevents token leakage through browser history, referrer headers, or server logs. Tokens are exchanged server-side using short-lived, httpOnly cookies.Session Management
Refresh tokens are rotated on every use — once a refresh token is consumed, it is invalidated and a new one is issued. If a previously-used token is replayed, all sessions for that account are revoked immediately.Rate Limiting
Auth endpoints are rate-limited to 5 requests per minute per IP to prevent brute-force attacks. All other dashboard endpoints are limited to 60 requests per minute per IP. Rate-limited requests receive:- HTTP
429 Too Many Requests Retry-Afterheader indicating when the window resets- JSON body:
{"error": "too_many_requests"}
Security Headers
Every dashboard response includes the following security headers:| Header | Purpose |
|---|---|
X-Content-Type-Options: nosniff | Prevents MIME-type sniffing |
X-Frame-Options: DENY | Prevents clickjacking via iframes |
Referrer-Policy: strict-origin-when-cross-origin | Limits referrer information leakage |
Content-Security-Policy | Prevents XSS and unauthorised content injection |
Strict-Transport-Security | Enforces HTTPS in production |
Error Handling
Unhandled errors return a generic{"error": "internal_error"} response. No stack traces, exception messages, or internal details are ever exposed to clients.