Skip to content

Harden security, stability, and performance (quick wins)#175

Open
Sparksx wants to merge 1 commit into
mainfrom
claude/focused-curie-bro88y
Open

Harden security, stability, and performance (quick wins)#175
Sparksx wants to merge 1 commit into
mainfrom
claude/focused-curie-bro88y

Conversation

@Sparksx

@Sparksx Sparksx commented Jul 15, 2026

Copy link
Copy Markdown
Owner

Summary

Quick-win improvements across security, stability, and performance identified during a full codebase audit.

  • Enable Content Security Policy — CSP was completely disabled (contentSecurityPolicy: false); now enforces default-src 'self' with targeted exceptions for Stripe and WebSocket
  • Hash refresh tokens in DB — tokens stored as SHA-256 hashes instead of plaintext; a DB compromise no longer leaks usable tokens
  • Separate JWT dev secrets — access and refresh tokens used the same fallback secret in development, allowing token type confusion
  • Rate-limit PvP fights — new 2-req/10s limiter prevents fight spam and rating manipulation
  • Add escapeHtml utility — exported from components.js for safe user-content rendering (audit confirmed existing code already uses textContent properly)
  • Fix clan leave race condition — ownership transfer now runs in a single interactive transaction instead of a non-atomic read-delete-check sequence
  • Optimize PvP matchmaking query — candidate pool reduced from 100→20 with Elo-proximity filtering (+/- 300 rating), falling back to broader search on small servers

Test plan

  • All 524 tests pass
  • Lint: 0 errors (53 pre-existing warnings unchanged)
  • Production build succeeds
  • Verify login/logout flow works (refresh token hashing is transparent to client)
  • Verify PvP fight still finds opponents on live server
  • Verify clan leave + ownership transfer works for clan owners

🤖 Generated with Claude Code

https://claude.ai/code/session_01FVTWJfLx3L6nzMmJKPUJAf


Generated by Claude Code

Security:
- Enable Content Security Policy via Helmet (was disabled)
- Hash refresh tokens (SHA-256) before storing in DB
- Use distinct JWT dev secrets for access vs refresh tokens
- Add rate limiting on PvP fight endpoint (2 req/10s)
- Add escapeHtml utility for safe user content rendering

Stability:
- Wrap clan leave + ownership transfer in a single transaction

Performance:
- Reduce PvP opponent pool from 100 to 20 with Elo-proximity filter
- Fall back to broader search when few nearby opponents exist

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FVTWJfLx3L6nzMmJKPUJAf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants