fix: Harden security - CORS, XSS, file uploads, error handling

- Restrict no-origin CORS bypass to development only - Activate xss-clean middleware for input sanitization - Add MIME type whitelist and filename sanitization to file uploads - Reduce project upload limit from 50MB to 20MB - Stop leaking stack traces in error responses Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-26 15:21:44 +01:00
parent 929d0b461f
commit d26e537244
4 changed files with 79 additions and 20 deletions
--- a/src/middlewares/global/errorHandler.js
+++ b/src/middlewares/global/errorHandler.js
@@ -6,7 +6,7 @@ export function errorHandler(err, req, res, next) {
    return next(err);
  }

-  // Log error
+  // Log full error server-side (including stack trace)
  logger.error('Neošetrená chyba', err);

  // Get status code
@@ -16,8 +16,8 @@ export function errorHandler(err, req, res, next) {
      ? res.statusCode
      : 500;

-  // Format error response
-  const errorResponse = formatErrorResponse(err, process.env.NODE_ENV === 'development');
+  // Never send stack traces to the client, even in development
+  const errorResponse = formatErrorResponse(err, false);

  res.status(statusCode).json(errorResponse);
 }