Skip to content

Security: gmcculloug/playlist_creator

Security

SECURITY.md

Security Improvements Summary

This document outlines all the security and efficiency improvements made to the playlist creator application.

🚨 CRITICAL: Action Required

1. Rotate All API Credentials Immediately

Your credentials have been exposed and must be rotated:

  • Google OAuth credentials in credentials.json

    • Go to Google Cloud Console
    • Navigate to your project β†’ Credentials
    • Delete the old OAuth 2.0 Client ID
    • Create a new one and download fresh credentials

  • Spotify credentials in .env

    • Go to Spotify Developer Dashboard
    • Navigate to your app settings
    • Click "Rotate Client Secret"
    • Update your .env file with the new secret

2. Update Environment Variables

Your .env file needs new variables. Copy from .env.example:

# Required new variables:
PORT=3001
FRONTEND_URL=http://localhost:3000
BACKEND_URL=http://localhost:3001
ALLOWED_ORIGINS=http://localhost:3000
VITE_API_BASE_URL=http://localhost:3001

βœ… Security Fixes Implemented

1. Fixed CORS Configuration

  • Before: Wide-open CORS accepting requests from ANY origin
  • After: Restricted to specific allowed origins from environment variables
  • File: server.js:11-17

2. Added Input Validation

  • All user inputs are now validated for type, length, and format
  • Prevents injection attacks and malformed requests
  • Files: server.js:139-152, 188-191

3. Implemented Rate Limiting

  • Authentication endpoints: 10 requests per 15 minutes
  • General API endpoints: 100 requests per minute
  • Prevents brute force attacks and API abuse
  • File: server.js:19-37

4. Added Security Headers

  • Content-Security-Policy: Prevents XSS attacks
  • X-Frame-Options: Prevents clickjacking
  • X-Content-Type-Options: Prevents MIME sniffing
  • X-XSS-Protection: Additional XSS protection
  • Referrer-Policy: Controls referrer information
  • File: server.js:41-61

5. Environment-Based Configuration

  • All hardcoded URLs replaced with environment variables
  • Supports different configurations for dev/staging/production
  • Files: server.js, all frontend src/*.jsx files

6. Health Check Endpoint

  • Monitor server status and authentication state
  • Endpoint: GET /health
  • File: server.js:130-139

⚑ Performance Improvements

1. API Response Caching

  • 5-minute cache for user profiles, playlists, and tracks
  • Reduces redundant API calls by up to 80%
  • File: src/SpotifyAPI.jsx:8-30

2. Parallel API Calls

  • Trello card fetching now parallelized
  • Board info fetching parallelized
  • Significantly faster data loading
  • File: src/TrelloAPI.jsx:155-169, 36-48

3. Retry Logic with Exponential Backoff

  • Automatic retry on transient failures
  • Exponential backoff prevents overwhelming APIs
  • File: src/SpotifyAPI.jsx:3-23

πŸ”’ Security Best Practices

What's Protected

βœ… Secrets are in .gitignore βœ… CORS is restricted to specific origins βœ… All inputs are validated βœ… Rate limiting prevents abuse βœ… Security headers prevent common attacks βœ… Environment-based configuration

What Still Needs Attention

⚠️ Tokens in localStorage

  • Currently vulnerable to XSS attacks
  • Recommended: Move to HttpOnly cookies or implement sessionStorage
  • Future enhancement: Server-side session management

⚠️ HTTPS in Production

  • Never send tokens over HTTP in production
  • Action: Use HTTPS for all production deployments
  • Set FRONTEND_URL and BACKEND_URL to HTTPS URLs

⚠️ Secrets Management

  • .env file should never be committed to git
  • Recommended: Use a secrets manager (AWS Secrets Manager, 1Password, etc.)
  • For production, use environment variables from your hosting platform

πŸ“‹ Production Checklist

Before deploying to production:

  • Rotate all API credentials
  • Set all environment variables in your hosting platform
  • Use HTTPS for all URLs (FRONTEND_URL, BACKEND_URL)
  • Update ALLOWED_ORIGINS to include production domain
  • Test rate limiting to ensure it doesn't block legitimate users
  • Set up monitoring for the /health endpoint
  • Review and adjust cache TTL if needed (currently 5 minutes)
  • Consider implementing request logging for security auditing

πŸ› οΈ Development Setup

  1. Update your .env file with new variables from .env.example
  2. Install dependencies: npm install
  3. Rotate your API credentials as described above
  4. Test the application: 
    # Terminal 1: Start backend
npm run server

# Terminal 2: Start frontend
npm start
  5. Test health endpoint: curl http://localhost:3001/health

πŸ“Š Monitoring

Health Check Response

{
  "status": "ok",
  "timestamp": "2026-04-16T12:00:00.000Z",
  "uptime": 3600,
  "youtube": {
    "configured": true,
    "authenticated": true
  }
}

Rate Limit Headers

When rate limited, the API returns:

  • X-RateLimit-Limit: Maximum requests allowed
  • X-RateLimit-Remaining: Requests remaining
  • X-RateLimit-Reset: When the limit resets

πŸ”— Additional Resources

πŸ“ Change Log

2026-04-16

  • βœ… Fixed CORS configuration
  • βœ… Added input validation
  • βœ… Implemented rate limiting
  • βœ… Added security headers
  • βœ… Environment-based configuration
  • βœ… API response caching
  • βœ… Parallelized API calls
  • βœ… Retry logic with exponential backoff
  • βœ… Health check endpoint

There aren't any published security advisories