- CORS: restrict origin from wildcard '*' to app URL from env (prevents
cross-origin requests from arbitrary sites)
- Sessions: enable @adonisjs/session with cookie store and httpOnly/secure
cookie flags; uncomment session middleware in kernel.ts
- CSRF: enable shield CSRF protection (requires sessions); uses XSRF-TOKEN
cookie mechanism compatible with Inertia.js/Axios; exempts /api/health
and SSE transmit endpoints
- CSP: enable Content Security Policy with restrictive directives
(no object-src, no frame-src, self-only script/style/connect/font)
- HSTS: enable HTTP Strict Transport Security in production only
- Path traversal: tighten filenameParamValidator to block /, \, ..,
and shell special characters; reduce max length from 4096 to 255
- env: add URL to .env.example; uncomment SESSION_DRIVER validation in env.ts
https://claude.ai/code/session_01WfRC4tDeYprykhMrg4PxX6
