security: P1/P2 hardening — rate limiting, CORS, Redis auth, network isolation

- Add Redis-based sliding window rate limiting on login, register, forgot-password, reset-password - Fix user enumeration: register returns generic 200 for both new and existing emails - Add Redis authentication (requirepass) and password in .env - Docker network isolation: postgres/redis on internal-only network - Whitelist Stripe redirect origins (prevent open redirect) - Add 10MB request size limit on trace ingestion - Limit API keys to 10 per user - Add CORS headers via middleware (whitelist agentlens.vectry.tech + localhost) - Reduce JWT max age from 30 days to 7 days
2026-02-10 17:03:48 +00:00
parent e9cd11735c
commit cccb3123ed
17 changed files with 315 additions and 34 deletions
--- a/.env.example
+++ b/.env.example
@@ -12,5 +12,8 @@ POSTGRES_USER=agentlens
 POSTGRES_PASSWORD=
 POSTGRES_DB=agentlens

+# Redis
+REDIS_PASSWORD=          # Generate with: openssl rand -base64 24
+
 # Email (optional — email features disabled if not set)
 EMAIL_PASSWORD=