Security and billing webhooks

HTTP hardening

The API enables Hono secureHeaders with a strict CSP for JSON-only responses, HSTS, X-Content-Type-Options, X-Frame-Options, and a restrictive Permissions-Policy. See apps/api/src/index.ts.

Rate limiting

Credential auth routes use Redis-backed rate limits (apps/api/src/index.ts and apps/api/src/middleware/rateLimit.ts). Tune max / windowSec per route class.

Payment webhooks

• Routes: /webhooks/stripe, /webhooks/paddle, /webhooks/lemonsqueezy, /webhooks/polar.
• Handlers verify provider signatures and should remain idempotent (safe to retry).
• Side effects that can fail (email, fan-out) belong in BullMQ workers, not inline in the webhook HTTP handler.

Secrets

• Production configuration is parsed through Zod in apps/api/src/config.ts (never read process.env ad hoc in routes).
• For Docker, prefer Docker Secrets mounted under /run/secrets/; the config loader merges those values over env vars. When DEPLOY_MODE=docker, missing secrets from files will log a startup warning for critical keys.

Admin metrics export

Daily rolled-up metrics (MRR estimate, churn, DAU/MAU, etc.) are stored in saas_metrics_daily by a maintenance cron job. Global admins can export CSV:

GET /api/admin/metrics/daily/export.csv (session + global admin required).

Optional modules (compile-time)

app.config.ts controls which optional API routes are registered. Disabled modules are not mounted; callers receive 404 JSON ({ "error": "Not found" }). See the controls map for the full file reference and the post-change checklist (pnpm generate:active-modules, pnpm verify:modules).