[M3][Epic 3.3] Implement production security: bcrypt, rate limiting, CORS, webhooks

## Problem

Implement security controls documented in `docs/architecture.md`.

## Tasks

- [ ] Replace plaintext passwords with bcrypt (cost factor 12)
- [ ] Add rate limiting middleware (express-rate-limit or similar)
- [ ] Configure rate limiting: 100 req/min per IP on auth endpoints
- [ ] Configure CORS whitelist (no wildcards in production)
- [ ] Implement webhook signature verification (HMAC)
- [ ] Add `X-Webhook-Signature` header validation
- [ ] Add security headers middleware (helmet.js)
- [ ] Enable HTTPS in production deployment
- [ ] Write security tests (attempt to bypass rate limits, etc.)

## Acceptance Criteria

- ✅ Passwords hashed with bcrypt (never stored plaintext)
- ✅ Rate limiting active and tested on auth endpoints
- ✅ Webhook signatures verified correctly
- ✅ CORS whitelist enforced in production config

**Priority:** P0 - Blocker for production
**Labels:** security, backend, M3, P0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[M3][Epic 3.3] Implement production security: bcrypt, rate limiting, CORS, webhooks #68

Problem

Tasks

Acceptance Criteria

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[M3][Epic 3.3] Implement production security: bcrypt, rate limiting, CORS, webhooks #68

Description

Problem

Tasks

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions