[INFRA] Global: Standardize Production Security Configuration #204

[CMI-James]

Description

Standardize backend production security configuration with strict CORS origin controls, stronger default security headers, and global API rate limiting placement.

Closes #204

Changes proposed

What were you told to do?

I was asked to apply production-grade backend security controls:

• Helmet-style security headers,
• strict CORS whitelist in production,
• API rate-limiting to reduce abuse risk.

What did I do?

Hardened security headers at app level

Updated backend/src/app.ts:

• disables x-powered-by,
• adds security-header middleware (Helmet-equivalent core headers):
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Referrer-Policy: no-referrer
  • X-DNS-Prefetch-Control: off
  • X-Download-Options: noopen
  • X-Permitted-Cross-Domain-Policies: none
  • Strict-Transport-Security in production.

Added strict production CORS whitelist behavior

In backend/src/app.ts:

• uses CORS_ALLOWED_ORIGINS (comma-separated),
• allows all origins in non-production,
• in production allows only whitelist origins (plus no-origin server clients),
• enables credentials support.

Kept global rate-limiting enforced early

• Retained global globalRateLimiter at top of middleware pipeline.

Added env configuration docs

Updated backend/.env.example with:

• CORS_ALLOWED_ORIGINS="https://app.flowfi.xyz,https://flowfi.xyz"

Check List (Check all the applicable boxes)

• My code follows the code style of this project.
• This PR does not contain plagiarized content.
• The title and description of the PR is clear and explains the approach.
• My commit messages styles matches our requested structure.
• My code additions will fail neither code linting checks nor unit test.
• I am only making changes to files I was requested to.

Screenshots / Testing Evidence

Attempted validation:

npm run build --workspace=backend

Build fails on existing upstream backend TypeScript issues unrelated to this PR (pre-existing type/config errors).