Security audit fixes: XSS, API key leak, headers, rate limiting

CRITICAL:
- Fix XSS: sessionId now JSON.stringify'd + script-escaped in JS contexts
- Fix XSS: org.name uses escapeHtml() in HTML, JSON.stringify in JS

HIGH:
- Remove API key from already-provisioned confirm-payment response
- Add helmet for security headers (X-Frame-Options, HSTS, etc.)
- Truncate API keys in console.log (show first 12 chars only)

MEDIUM:
- Rate limit confirm-payment: 10 req/min per IP
- Sanitize error messages in web-facing routes (generic client msg)
- Fix refCode JSON.stringify script breakout with \u003c escaping

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Christian Shearer

package-lock.json

@@ -62,6 +62,7 @@
     "better-sqlite3": "^12.6.2",
     "ethers": "^6.16.0",
     "express": "^5.2.1",
+    "helmet": "^8.1.0",
     "osmojs": "^16.15.0",
     "stripe": "^20.3.1"
   },

package.json

@@ -199,9 +199,26 @@ export function createApiRoutes(
     res.json(paymentRequiredBody.payment);
   });
 
+  // Rate limiter for confirm-payment endpoint (10 req/min per IP)
+  const confirmPaymentLimiter = new Map<string, { count: number; windowStart: number }>();
+
   // POST /api/v1/confirm-payment — agent confirms a crypto payment
   router.post("/api/v1/confirm-payment", async (req: Request, res: Response) => {
     try {
+      // IP-based rate limiting
+      const ip = req.ip || req.socket.remoteAddress || "unknown";
+      const rlNow = Date.now();
+      const rlWindow = confirmPaymentLimiter.get(ip);
+      if (rlWindow && rlNow - rlWindow.windowStart < 60_000 && rlWindow.count >= 10) {
+        apiError(res, 429, "RATE_LIMITED", "Too many payment confirmation attempts. Try again in a minute.");
+        return;
+      }
+      if (!rlWindow || rlNow - rlWindow.windowStart >= 60_000) {
+        confirmPaymentLimiter.set(ip, { count: 1, windowStart: rlNow });
+      } else {
+        rlWindow.count++;
+      }
+
       const { chain, tx_hash, email } = req.body ?? {};
 
       if (!chain || typeof chain !== "string") {
@@ -218,7 +235,7 @@ export function createApiRoutes(
       if (existing) {
         if (existing.status === "provisioned" && existing.user_id) {
           const user = db.prepare("SELECT * FROM users WHERE id = ?").get(existing.user_id) as User | undefined;
-          res.json({ status: "already_provisioned", api_key: user?.api_key, message: "This payment has already been processed." });
+          res.json({ status: "already_provisioned", message: "This payment has already been processed. Check your email for your API key." });
         } else {
           res.json({ status: existing.status, message: "This transaction has already been recorded." });
         }

src/server/api-routes.ts

@@ -16,6 +16,7 @@
  */
 
 import express from "express";
+import helmet from "helmet";
 import Stripe from "stripe";
 import { getDb } from "./db.js";
 import { createRoutes } from "./routes.js";
@@ -332,6 +333,11 @@ export function startServer(options: { port?: number; dbPath?: string } = {}) {
   app.use(express.json());
   app.use(express.urlencoded({ extended: false }));
 
+  // Security headers (relaxed CSP since we use inline scripts extensively)
+  app.use(helmet({
+    contentSecurityPolicy: false,
+  }));
+
   // Mount routes (landing page, feedback, cancel, checkout-page always work;
   // Stripe-dependent routes like /subscribe, /checkout, /webhook, /success, /manage
   // are conditionally registered inside createRoutes when stripe is non-null)

src/server/index.ts

@@ -804,7 +804,7 @@ ${SUPPORTED_LANGS.map(l => `  <link rel="alternate" hreflang="${l}" href="${base
 
     function doSubscribe(tier, interval) {
       var body = { tier: tier, interval: interval };
-      ${refCode ? `body.referral_code = ${JSON.stringify(refCode)};` : ""}
+      ${refCode ? `body.referral_code = ${JSON.stringify(refCode).replace(/</g, "\\u003c")};` : ""}
       fetch('/subscribe', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
@@ -920,7 +920,7 @@ ${betaBannerJS()}
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       console.error("Subscribe error:", msg);
-      res.status(500).json({ error: msg });
+      res.status(500).json({ error: "An internal error occurred. Please try again." });
     }
   });
 
@@ -996,7 +996,7 @@ ${betaBannerJS()}
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       console.error("Subscribe-org error:", msg);
-      res.status(500).json({ error: msg });
+      res.status(500).json({ error: "An internal error occurred. Please try again." });
     }
   });
 
@@ -1038,7 +1038,8 @@ ${betaBannerJS()}
       res.json({ ok: true, publicity_opt_in: !!opt_in });
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
-      res.status(500).json({ error: msg });
+      console.error("Org publicity error:", msg);
+      res.status(500).json({ error: "An internal error occurred. Please try again." });
     }
   });
 
@@ -1093,7 +1094,7 @@ ${betaBannerJS()}
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       console.error("Checkout error:", msg);
-      res.status(500).json({ error: msg });
+      res.status(500).json({ error: "An internal error occurred. Please try again." });
     }
   });
 
@@ -1165,7 +1166,7 @@ ${betaBannerJS()}
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       console.error("Boost checkout error:", msg);
-      res.status(500).json({ error: msg });
+      res.status(500).json({ error: "An internal error occurred. Please try again." });
     }
   });
 
@@ -1217,7 +1218,7 @@ ${betaBannerJS()}
       let user = email ? getUserByEmail(db, email) : undefined;
       if (!user) {
         user = createUser(db, email, stripeCustomerId);
-        console.log(`New user created: ${user.api_key} (${email})`);
+        console.log(`New user created: ${user.api_key.slice(0, 12)}... (${email})`);
       }
 
       // Extract billing interval from the Stripe subscription (if subscription mode)
@@ -1424,7 +1425,7 @@ export REGEN_BALANCE_URL=${baseUrl}</pre>
       <div class="regen-card__body">
         <h2 style="color:var(--regen-navy);margin:0 0 8px;font-size:18px;font-weight:700;">Share your commitment?</h2>
         <p style="color:var(--regen-gray-700);font-size:14px;margin:0 0 14px;line-height:1.6;">
-          Would you like us to feature <strong>${org.name.replace(/</g, "&lt;")}</strong> on our website and social media as an organization committed to regenerative AI? This helps inspire others to follow your lead.
+          Would you like us to feature <strong>${escapeHtml(org.name)}</strong> on our website and social media as an organization committed to regenerative AI? This helps inspire others to follow your lead.
         </p>
         <div id="publicity-prompt" style="display:flex;gap:10px;align-items:center;">
           <button onclick="setPublicity(true)" class="regen-btn regen-btn--solid regen-btn--sm">Yes, share it</button>
@@ -1438,12 +1439,12 @@ export REGEN_BALANCE_URL=${baseUrl}</pre>
       fetch('/org/publicity', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ org_id: ${org.id}, opt_in: optIn, session_id: '${sessionId}' })
+        body: JSON.stringify({ org_id: ${org.id}, opt_in: optIn, session_id: ${JSON.stringify(sessionId).replace(/</g, "\\u003c")} })
       }).then(function(r) { return r.json(); }).then(function(data) {
         document.getElementById('publicity-prompt').style.display = 'none';
         var saved = document.getElementById('publicity-saved');
         saved.style.display = 'block';
-        saved.textContent = optIn ? 'Thank you! We\\'ll feature ${org.name.replace(/'/g, "\\'")} on our site.' : 'No problem — you can change this anytime from your dashboard.';
+        saved.textContent = optIn ? 'Thank you! We\\'ll feature ' + ${JSON.stringify(org.name).replace(/</g, "\\u003c")} + ' on our site.' : 'No problem — you can change this anytime from your dashboard.';
       });
     }
     </script>
@@ -1495,7 +1496,7 @@ export REGEN_BALANCE_URL=${baseUrl}</pre>
       fetch('/profile/display-name', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ session_id: '${sessionId}', display_name: name })
+        body: JSON.stringify({ session_id: ${JSON.stringify(sessionId).replace(/</g, "\\u003c")}, display_name: name })
       }).then(function(r) { return r.json(); }).then(function(data) {
         if (data.ok) {
           document.getElementById('profilePrompt').style.display = 'none';
@@ -1523,7 +1524,7 @@ export REGEN_BALANCE_URL=${baseUrl}</pre>
       fetch('/profile/display-name', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ session_id: '${sessionId}', display_name: 'My On-Chain Proof' })
+        body: JSON.stringify({ session_id: ${JSON.stringify(sessionId).replace(/</g, "\\u003c")}, display_name: 'My On-Chain Proof' })
       }).catch(function() {});
     }
   </script>
@@ -1956,7 +1957,7 @@ async function handleSubscriptionCreated(db: Database.Database, sub: Stripe.Subs
     let user = email ? getUserByEmail(db, email) : undefined;
     if (!user) {
       user = createUser(db, email, customerId ?? null);
-      console.log(`New user created for subscription: ${user.api_key} (${email})`);
+      console.log(`New user created for subscription: ${user.api_key.slice(0, 12)}... (${email})`);
     }
 
     const priceItem = sub.items?.data?.[0]?.price;