Skip to content

Security Hardening & Rate Limiting#98

Open
ishvindersethi22 wants to merge 2 commits intodevelopfrom
security-fixes
Open

Security Hardening & Rate Limiting#98
ishvindersethi22 wants to merge 2 commits intodevelopfrom
security-fixes

Conversation

@ishvindersethi22
Copy link
Copy Markdown
Member

@ishvindersethi22 ishvindersethi22 commented Jan 15, 2026
edited by Dhara124
Loading

Description

This PR implements a comprehensive security hardening layer for the Arena Backend, addressing multiple vulnerabilities related to credential exposure, IDOR, and resource abuse.

Key Changes

Secret Management & Infrastructure

  • Env Var Migration: Moved SECRET_KEY and DEBUG to environment variables.
  • Firebase Security: Moved FIREBASE_CREDENTIALS_PATH to an env var and removed absolute path logging.
  • HTTPS Enforcement: Enabled SECURE_SSL_REDIRECT, HSTS, and secure cookie flags (active only when DEBUG=False).
  • Security Headers: Added X-Frame-Options: DENY, Content-Type-Nosniff, and XSS-Filter headers.
  • CORS Hardening: Set `CORS_ALLOW_CREDENTIALS = False

API Security & IDOR Fixes

  • IDOR Fix: Added ownership verification in conversation_path endpoint. Users can now only access paths between messages they own.
  • URL Expiry: Reduced GCS signed URL expiry from 900s to 300s (5 minutes) to minimize the attack window for leaked URLs.
  • Header-based Auth: Migrated Google API Key from URL query parameters to the secure x-goog-api-key header.

Rate Limiting & Resource Protection

  • Burst Protection (DRF Throttles):
    • AIGenerationThrottle: 30 req/min per user (prevents rapid-fire API cost abuse).
    • AuthRateThrottle: 10 req/min per IP (prevents brute-force on login/register).
  • Daily Quotas (Logic from PR rate-limiting-per user and anonymus user blocked #167):
    • 15 messages/day limit for direct and compare modes.
    • Uses select_for_update() to ensure strict enforcement across concurrent requests.
  • Access Control: Blocked anonymous users from starting direct or compare mode sessions.

Error Handling & Cleanup

  • Error Sanitization: Replaced str(e) with sanitize_error_message(e) across 10+ files to prevent leaking internal traceback details or API keys in response logs.
  • Custom Exception Handler: Implemented a global DRF handler to return clean JSON errors for production 500s.
  • Cleanup: Removed unused scripts (fix_job_sync.py, trigger_sync.py) and updated .gitignore.

Verification Results

  • Zero str(e) instances remain in application code.
  • Verified IDOR fix with manual session ID manipulation.
  • Verified rate limiting returns 429 Too Many Requests.

@ishvindersethi22 ishvindersethi22 changed the title Claude initial commit Claude security fixes Jan 15, 2026
@Dhara124
security: harden backend against API key exposure, add rate limiting,…
f7d8c78 
… HTTPS enforcement

- Move SECRET_KEY and DEBUG to environment variables
- Sanitize all error messages (str(e)) with sanitize_error_message() across 8 files
- Move Google API key from URL query param to x-goog-api-key header
- Add custom DRF exception handler for production 500s
- Add security headers (X-Frame-Options, Content-Type-Nosniff, XSS-Filter)
- Add HTTPS/HSTS enforcement when DEBUG=False
- Fix IDOR in conversation_path (add user ownership check)
- Move Firebase credentials path to env var
- Reduce signed URL expiry from 900s to 300s
- Set CORS_ALLOW_CREDENTIALS=False
- Add rate limiting: 30/min AI generation, 10/min auth endpoints
- Update .gitignore with security-sensitive file patterns
- Remove unused scripts (fix_job_sync.py, trigger_sync.py)
@Dhara124 Dhara124 changed the title Claude security fixes Security Hardening & Rate Limiting Apr 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ishvindersethi22 @Dhara124