- Add helmet for secure HTTP response headers.
- Add express-rate-limit: 60 req/min general, 20 req/min on LLM endpoints.
- Restrict CORS to localhost origins in dev, CORS_ORIGIN env var in prod.
- Cap request body at 16kb.
- Add sanitizeText() to strip control chars on all string inputs.
- Add isValidStandardId() regex guard on :id param and standard_id fields.
- All route handlers use sanitized values; no raw req.body/req.query access.
notkshitij
0d8b2cdb3f
