Skip to content

Security hardening + DRY refactor#1

Merged
thomasluizon merged 1 commit into
mainfrom
chore/security-hardening-and-dry-refactor
Mar 20, 2026
Merged

Security hardening + DRY refactor#1
thomasluizon merged 1 commit into
mainfrom
chore/security-hardening-and-dry-refactor

Conversation

@thomasluizon

Copy link
Copy Markdown
Owner

Summary

  • Emergency fixes: mandatory Stripe webhook signature verification, fix inverted HTTPS redirect, set Stripe API key globally at startup
  • Security hardening: SecurityHeadersMiddleware, restricted CORS, 10MB body limit, input validation for chat history and Stripe intervals
  • DRY infrastructure: ErrorMessages, AppConstants, CacheInvalidationHelper, ResultExtensions -- applied across 30+ handlers
  • DRY controllers: ResultActionResultExtensions (PayGate-aware responses), SharedHabitRules, TagsController logging
  • Code cleanup: replace goto with flag+continue in BulkCreateHabitsCommand
  • CLAUDE.md: documented new DRY patterns, security conventions, and git workflow

Test plan

  • dotnet build passes (verified)
  • Stripe checkout flow works (monthly/semiannual/yearly)
  • Stripe webhook processes events correctly
  • Habit CRUD still works end-to-end
  • Tag CRUD logs properly

Generated with Claude Code

Emergency fixes: mandatory Stripe webhook signature verification,
fix inverted HTTPS redirect, set Stripe API key globally at startup.

Security: add SecurityHeadersMiddleware, restrict CORS to explicit
methods/headers, add 10MB request body limit, validate chat history
size and Stripe checkout intervals.

DRY: extract ErrorMessages, AppConstants, CacheInvalidationHelper,
ResultExtensions, ResultActionResultExtensions, SharedHabitRules.
Apply across 30+ command handlers and 5 controllers. Replace goto
with flag+continue in BulkCreateHabitsCommand. Add logging to
TagsController.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant