Skip to main content

API Security

Security Headers (Helmet)

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy configured

CORS

Allowed origins:

statux.io
statuspage.statux.io
alerts.statux.io
synthetics.statux.io
localhost (development)

Rate Limiting

100 requests per 60 seconds (default)
Applied globally via NestJS Throttler

Input Validation

Global ValidationPipe with whitelist: true
Unknown properties stripped
DTOs enforce structure

Security Headers (Helmet)
CORS
Rate Limiting
Input Validation