security: Apply Security Middleware Stack

[nik-kale]

Summary

This PR addresses a critical security vulnerability by applying the existing security middleware stack that was previously defined but never used. The backend now enforces CORS origin validation, security headers, rate limiting, input sanitization, and request validation.

Changes

• Replaced default cors() with configureCors() for origin whitelist validation
• Applied configureHelmet() for security headers (CSP, HSTS, X-Frame-Options)
• Applied generalRateLimiter globally to prevent API abuse
• Applied missionRateLimiter to POST /api/missions endpoint
• Applied sanitizeInput middleware for XSS protection
• Applied validateContentType and validateRequestSize middleware
• Added notFoundHandler and errorHandler for proper error handling
• Middleware applied in correct order for optimal security

Type of Change

• Security patch
• New feature
• Bug fix
• Breaking change
• Documentation update

Testing

• Verified no linting errors in modified files
• Security middleware is now active and will:
  • Reject requests from non-whitelisted origins
  • Apply security headers to all responses
  • Rate limit requests after threshold exceeded
  • Sanitize XSS payloads in request bodies
  • Validate Content-Type and request sizes

Checklist

• Code follows project style guidelines
• Self-review completed
• Comments added for complex logic
• Documentation updated (inline comments)
• No new warnings introduced
• Middleware applied in correct order

Related Issues

Addresses Feature #1 from FEATURE_OPPORTUNITIES.md - Priority Score: 3.0 ⭐

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Trust proxy before applying rate limiters

The new global generalRateLimiter counts requests by req.ip, but the app still uses Express’s default trust proxy = false. Architecture.md documents the backend sitting behind an Nginx reverse proxy, so every request will appear to come from the proxy’s IP and all clients will share the same bucket, causing 429s even under moderate multi-user traffic. Set app.set('trust proxy', true) (or use the forwarded header) before installing the rate limiters so each client is limited independently.

Useful? React with 👍 / 👎.