security: fix VAPT vulnerabilities — WebSocket CSWSH, rate limiting, …

backend/app/config.py

@@ -39,6 +39,13 @@ class Settings(BaseSettings):
         "If not set, defaults to http://localhost:8087 when BASE_URL is http://localhost:8086, otherwise defaults to BASE_URL.",
     )
 
+    # Proxy
+    trusted_proxy_ips: str | None = Field(
+        default=None,
+        description="Comma-separated trusted proxy IPs/CIDRs for X-Forwarded-For (e.g. '10.0.0.0/8'). "
+        "If unset, all proxies are trusted (only safe when the app is not directly exposed).",
+    )
+
     # Database
     database_url: PostgresDsn = Field(
         default="postgresql://mfbt:iammfbt@localhost:5432/mfbt_dev",

backend/app/main.py

@@ -11,12 +11,16 @@
 import logging
 from contextlib import asynccontextmanager
 
-from fastapi import Depends, FastAPI
+from fastapi import Depends, FastAPI, Request
 from fastapi.middleware.cors import CORSMiddleware
+from slowapi import _rate_limit_exceeded_handler
+from slowapi.errors import RateLimitExceeded
 from starlette.middleware.sessions import SessionMiddleware
+from uvicorn.middleware.proxy_headers import ProxyHeadersMiddleware
 
 from app.auth.trial import require_active_trial, require_tokens_available
 from app.config import settings
+from app.rate_limit import limiter
 from app.routers import (
     activity,
     agent_api,
@@ -144,16 +148,25 @@ async def lifespan(app: FastAPI):
     lifespan=lifespan,
 )
 
+# Trust X-Forwarded-For from reverse proxy so request.client.host is the real client IP
+# (required for rate limiting to work correctly behind nginx/Traefik/load balancers)
+# Set TRUSTED_PROXY_IPS to comma-separated IPs/CIDRs in production (e.g. "10.0.0.0/8")
+_trusted_hosts = settings.trusted_proxy_ips.split(",") if settings.trusted_proxy_ips else ["*"]
+app.add_middleware(ProxyHeadersMiddleware, trusted_hosts=_trusted_hosts)
+
+# Register rate limiter
+app.state.limiter = limiter
+app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
+
 # Configure CORS
 # For development, allow frontend origin to support OAuth cookie flow
 # Also allow other origins for MCP clients (but those won't get credentials)
+_cors_origins = [settings.frontend_url]
+if settings.is_development:
+    _cors_origins.extend(["http://localhost:8087", "http://127.0.0.1:8087"])
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=[
-        settings.frontend_url,  # Frontend origin for OAuth cookie flow
-        "http://localhost:8087",  # Explicit localhost for development
-        "http://127.0.0.1:8087",  # Alternative localhost
-    ],
+    allow_origins=_cors_origins,
     allow_credentials=True,  # Required for cookies to work cross-origin
     allow_methods=["*"],  # Allow all methods
     allow_headers=["*"],  # Allow all headers
@@ -253,6 +266,15 @@ async def lifespan(app: FastAPI):
     app.include_router(_rp.router, prefix=_prefix, dependencies=_deps)
 
 
+@app.middleware("http")
+async def add_security_headers(request: Request, call_next):
+    """Add security headers to all responses."""
+    response = await call_next(request)
+    response.headers["X-Content-Type-Options"] = "nosniff"
+    response.headers["X-Frame-Options"] = "DENY"
+    return response
+
+
 @app.get("/health", tags=["health"])
 async def health_check():
     """

backend/app/rate_limit.py

@@ -0,0 +1,6 @@
+"""Rate limiting configuration using slowapi."""
+
+from slowapi import Limiter
+from slowapi.util import get_remote_address
+
+limiter = Limiter(key_func=get_remote_address)

backend/app/routers/auth.py

@@ -34,6 +34,7 @@
 from app.database import get_async_db, get_db
 from app.models.user import User
 from app.plugin_registry import get_plugin_registry
+from app.rate_limit import limiter
 from app.schemas.api_key import ApiKeyCreate
 from app.schemas.auth import (
     OrgMembershipResponse,
@@ -143,7 +144,9 @@ def _get_known_provider_slugs() -> set[str]:
 
 
 @router.post("/register", response_model=RegistrationResponse, status_code=status.HTTP_201_CREATED)
+@limiter.limit("5/minute")
 async def register(
+    request: Request,
     user_data: UserCreate,
     db: Annotated[Session, Depends(get_db)],
     async_db: Annotated[AsyncSession, Depends(get_async_db)],
@@ -266,7 +269,9 @@ async def register(
 
 
 @router.post("/login", response_model=TokenResponse)
+@limiter.limit("10/minute")
 def login(
+    request: Request,
     form_data: Annotated[OAuth2PasswordRequestForm, Depends()],
     db: Annotated[Session, Depends(get_db)],
 ) -> TokenResponse:
@@ -373,7 +378,9 @@ def get_current_user_info(
 
 
 @router.get("/me/token", response_model=TokenResponse)
+@limiter.limit("30/minute")
 def get_session_token(
+    request: Request,
     session_cookie: Annotated[str | None, Cookie(alias="mfbt_session")] = None,
     db: Session = Depends(get_db),
 ) -> TokenResponse:
@@ -658,8 +665,10 @@ def verify_email(
 
 
 @router.post("/resend-verification", response_model=ResendVerificationResponse)
+@limiter.limit("3/minute")
 async def resend_verification(
-    request: ResendVerificationRequest,
+    request: Request,
+    verification_request: ResendVerificationRequest,
     db: Annotated[Session, Depends(get_db)],
     async_db: Annotated[AsyncSession, Depends(get_async_db)],
 ) -> ResendVerificationResponse:
@@ -678,7 +687,7 @@ async def resend_verification(
     Returns:
         ResendVerificationResponse with generic message
     """
-    user = UserService.get_user_by_email(db, request.email)
+    user = UserService.get_user_by_email(db, verification_request.email)
 
     # Always return the same message for security (don't reveal if email exists)
     generic_message = "If an account with that email exists and is not yet verified, a verification email has been sent"

backend/app/routers/websocket.py

@@ -9,6 +9,7 @@
 from sqlalchemy.orm import Session
 
 from app.auth.utils import decode_access_token
+from app.config import settings
 from app.models.user import User
 from app.permissions.context import OrgContext
 from app.services.user_service import UserService
@@ -19,6 +20,15 @@
 router = APIRouter(prefix="/ws", tags=["websocket"])
 
 
+def get_allowed_ws_origins() -> set[str]:
+    """Build the set of allowed WebSocket origins (same as CORS config)."""
+    origins = {settings.frontend_url}
+    if settings.is_development:
+        origins.update({"http://localhost:8087", "http://127.0.0.1:8087"})
+    # Normalize: strip trailing slashes
+    return {o.rstrip("/") for o in origins}
+
+
 async def get_current_user_ws(
     token: str,
     db: Session,
@@ -86,6 +96,17 @@ async def websocket_jobs_endpoint(
             }
         }
     """
+    # Validate Origin header to prevent Cross-Site WebSocket Hijacking (CSWSH).
+    # Absent Origin is allowed: non-browser clients (MCP tools, CLI) don't send it.
+    # These clients are still authenticated via JWT token in the query parameter.
+    origin = websocket.headers.get("origin")
+    if origin is not None:
+        normalized_origin = origin.rstrip("/")
+        if normalized_origin not in get_allowed_ws_origins():
+            logger.warning(f"WebSocket rejected: disallowed origin={origin}")
+            await websocket.close(code=status.WS_1008_POLICY_VIOLATION, reason="Origin not allowed")
+            return
+
     # Authenticate user with a short-lived DB session (not held during WebSocket lifetime)
     from app.database import SessionLocal
 

backend/pyproject.toml

@@ -43,6 +43,7 @@ dependencies = [
     "mistune>=3.0",
     "tavily-python>=0.5.0",
     "redis>=7.1.0",
+    "slowapi>=0.1.9",
 ]
 
 [project.optional-dependencies]