more secure token handling

backend/server.js

@@ -27,7 +27,21 @@ const PayoutProcessor = require("./jobs/payoutProcessor");
 
 const app = express();
 
-// Security headers
+// Import security middleware
+const {
+  enforceHTTPS,
+  securityHeaders,
+  addRequestId,
+  sanitizeError,
+} = require("./middleware/security");
+const { generalLimiter } = require("./middleware/rateLimiter");
+
+// Apply security middleware
+app.use(enforceHTTPS);
+app.use(addRequestId);
+app.use(securityHeaders);
+
+// Security headers with Helmet
 app.use(
   helmet({
     contentSecurityPolicy: {
@@ -38,7 +52,7 @@ app.use(
         scriptSrc: ["'self'", "https://accounts.google.com"],
         imgSrc: ["'self'"],
         connectSrc: ["'self'"],
-        frameSrc: ["'self'"],
+        frameSrc: ["'self'", "https://accounts.google.com"],
       },
     },
   })
@@ -47,6 +61,9 @@ app.use(
 // Cookie parser for CSRF
 app.use(cookieParser);
 
+// General rate limiting for all routes
+app.use("/api/", generalLimiter);
+
 // CORS with security settings
 app.use(
   cors({
@@ -93,6 +110,9 @@ app.get("/", (req, res) => {
   res.json({ message: "CommunityRentals.App API is running!" });
 });
 
+// Error handling middleware (must be last)
+app.use(sanitizeError);
+
 const PORT = process.env.PORT || 5000;
 
 sequelize