Add security headers, CORS, rate limiting, and API authentication

[super3]

Summary

This PR enhances the security posture of the PadTask server by implementing multiple security layers: HTTP security headers via Helmet, configurable CORS restrictions, rate limiting on API endpoints, and optional Bearer token authentication.

Key Changes

• Security Headers: Added Helmet middleware to set security headers (X-Content-Type-Options, X-Frame-Options, etc.)
• CORS Configuration: Replaced open CORS policy with configurable origin restrictions via ALLOWED_ORIGINS environment variable; defaults to same-origin only
• Rate Limiting: Implemented express-rate-limit on /api/ endpoints (100 requests per 15 minutes per IP)
• API Authentication: Added optional Bearer token authentication via API_SECRET_KEY environment variable; when configured, all API requests require Authorization: Bearer <token> header
• Test Coverage: Added comprehensive test suites for security headers, CORS behavior, and authentication scenarios
• Documentation: Updated .env.example with new configuration options

Implementation Details

• Authentication middleware is applied to /api/chat and /api/clear endpoints and gracefully skips validation when API_SECRET_KEY is not set
• CORS origin validation uses a callback function to allow same-origin requests (no Origin header) while restricting cross-origin requests to explicitly allowed origins
• Rate limiter state is reset between tests to ensure test isolation
• All new dependencies (helmet, express-rate-limit) are production dependencies

https://claude.ai/code/session_01757fV1nPvDZ7rviGSuYwp7

[railway-app]

🚅 Deployed to the padtask-pr-5 environment in padtask

Service	Status	Web	Updated (UTC)
padtask	✅ Success (View Logs)	Web	Apr 2, 2026 at 3:08 pm