Security controls map
Where headers, rate limits, webhooks, and admin boundaries live in the codebase.
Security controls map
Use this page for security questionnaires and onboarding: each row maps a control to the implementation file (paths relative to the monorepo root).
| Control | Location |
|---------|----------|
| HTTP security headers (CSP, HSTS, X-Frame-Options, …) | apps/api/src/index.ts — secureHeaders middleware |
| Per-route rate limiting | apps/api/src/middleware/rateLimit.ts and app.use chains in apps/api/src/index.ts |
| Auth brute-force limits | apps/api/src/index.ts — /api/auth/sign-in, forget-password, magic-link |
| Payment webhooks (signature + raw body) | apps/api/src/routes/payment-webhooks.ts |
| Global admin guard | apps/api/src/middleware/adminGuard.ts |
| Org / session context | apps/api/src/middleware/orgContext.ts |
| Env validation (no ad-hoc process.env in routes) | apps/api/src/config.ts |
| Optional module HTTP surface | apps/api/src/module-routes.ts + apps/api/src/generated/active-modules.generated.ts — disabled modules are not mounted (404) |
| Daily metrics CSV (admin) | apps/api/src/routes/admin.ts — /api/admin/metrics/daily/export.csv |
After changing app.config.ts
pnpm generate:active-modules— refresh the API route gate snapshot.pnpm verify:modules— CI runs this; fails if the snapshot drifts.- Restart API / web dev servers.
Disabled modules policy
When a module is off in app.config.ts, the API does not register those routes. Unmatched paths return 404 with JSON { "error": "Not found" } (same as unknown paths). The web app uses ModuleGate (apps/web/src/components/server/ModuleGate.tsx) and nav filtering so users do not see dead links.