- Fix 1: Login rate limiting (5 attempts/min/IP) on POST /api/v1/auth/login
- New LoginRateLimiter (ConcurrentHashMap + @Scheduled reset every 60s)
- HTTP 429 with German message on exceed
- Client IP via X-Forwarded-For with proxy fallback
- @EnableScheduling on CannaManageApplication
- Fix 2: CORS origins configurable via cannamanage.cors.allowed-origins env var
- Defaults to localhost + docker frontend for dev
- SecurityConfig reads with @Value, splits comma-separated list
- Fix 3: Audit JSON safety — replaced manual string concat with Jackson ObjectMapper
- New AuditService.toMetadataJson(Map) helper
- RetentionService and AuthorityExportService refactored
- Fix 4: Tomcat max-http-form-post-size=2MB prevents DoS via oversized payloads
- Fix 5: @Valid added to @RequestBody on 17+ endpoints across
ComplianceRecordsController, FinanceController, ConsentController,
StaffController, ComplianceDeadlineController, SubscriptionController,
ForumController (admin + portal)
- Fix 6: Content-Security-Policy 'default-src \'self\'; frame-ancestors \'none\''
+ frameOptions(deny) on both API + portal filter chains
Patrick Plate
6f7352124d