txeo/cv-site
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add origin validation and rate limiting for PDF endpoint

Browse Source 
Security enhancements:
- Implement origin/referer validation middleware
- Add rate limiting (3 requests/min per IP)
- Default to production domain (juan.andres.morenorub.io)
- Verify all protection mechanisms working correctly

Documentation updates:
- Update README to reflect personal portfolio nature
- Remove template encouragement from README
- Add verification status to API-PROTECTION.md
- Document ALLOWED_ORIGINS configuration in .env.example

Cleanup:
- Remove templates.backup/ folder
- Remove old test screenshots
This commit is contained in:
juanatsap
2025-11-09 14:13:22 +00:00
parent 24b2401519
commit ea6ccf9cdd
9 changed files with 40 additions and 609 deletions
Download Patch File Download Diff File Expand all files Collapse all files
doc/API-PROTECTION.md
+21
View File
@@ -4,6 +4,27 @@
---
## ✅ VERIFICATION STATUS
**Last Tested:** November 9, 2025
**Status:****ALL PROTECTION MECHANISMS VERIFIED WORKING**
### Verified Test Results
| Test | Expected | Actual | Status |
|------|----------|--------|--------|
| External referer (evil.com) | 403 Forbidden | 403 Forbidden | ✅ PASS |
| Localhost referer | 200 OK | 200 OK | ✅ PASS |
| Production domain referer | 200 OK | 200 OK | ✅ PASS |
| External Origin header | 403 Forbidden | 403 Forbidden | ✅ PASS |
| No referer (development) | 200 OK | 200 OK | ✅ PASS |
| Rate limit (requests 1-3) | 200 OK | 200 OK | ✅ PASS |
| Rate limit (request 4+) | 429 Too Many | 429 Too Many | ✅ PASS |
**Protection Layers:** Origin checking + Rate limiting both working correctly.
---
## Overview
The CV website implements multiple layers of protection to prevent external sites from accessing the API and to protect against DDoS attacks on resource-intensive endpoints like PDF generation.