diff options
Diffstat (limited to 'docs/dev')
| -rw-r--r-- | docs/dev/roadmap.md | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/docs/dev/roadmap.md b/docs/dev/roadmap.md index 4533633..38ef3be 100644 --- a/docs/dev/roadmap.md +++ b/docs/dev/roadmap.md @@ -188,6 +188,23 @@ Smaller features first to enable early MVP validation. --- +## Phase 9: Security Hardening + +**Goal**: Address security vulnerabilities identified in code review + +### High Priority +- [ ] Add rate limiting to login endpoint (brute force protection) +- [ ] Configure CORS middleware + +### Medium Priority +- [ ] Fix card update authorization in sync push (verify existing card ownership) +- [ ] Unify password length requirement (add-user.ts: 8 chars → 15 chars) + +### Low Priority +- [ ] Consider httpOnly cookie for token storage (XSS mitigation) + +--- + ## Future Considerations By priority: |