Please report security vulnerabilities to: security@fridgechef.com
- JWT-based authentication
- Secure password hashing (bcrypt)
- Token expiration (7 days default)
- HTTP-only cookies (recommended for production)
- Login: 5 attempts/minute
- Registration: 3 attempts/minute
- Image upload: 10 uploads/minute
- Recipe generation: 15 requests/minute
- General API: 100 requests/minute
- File type validation (images only)
- File size limits (10MB max)
- SQL injection protection (SQLAlchemy ORM)
- XSS protection (input sanitization)
- Restricted to specified origins
- Credentials allowed only for trusted origins
- Never commit API keys to version control
- Use environment variables
- Rotate keys regularly
- Restrict API key usage (HTTP referrers, IP allowlists)
-
Keep Dependencies Updated
pip list --outdated npm outdated
-
Regular Security Audits
pip install safety safety check npm audit
-
Use HTTPS in Production
- Enforce HTTPS redirects
- Set secure cookie flags
- HSTS headers
-
Database Security
- Strong passwords
- Encrypted connections
- Regular backups
- Access restrictions
-
Monitoring
- Log authentication failures
- Alert on rate limit violations
- Monitor for unusual patterns