API Security Hardening

# CLAUDE.md — API Security Hardening

## Authentication
- JWT: HS256 minimum, RS256 preferred for distributed systems
- Token expiry: access tokens 15 min, refresh tokens 7 days
- Refresh token rotation on every use (detect reuse attacks)
- Store refresh tokens in HttpOnly cookies, not localStorage

## Authorisation
- Principle of least privilege: every endpoint checks the minimum required permission
- Role checks are server-side — never trust client-provided roles
- Resource ownership checked before every mutation: `WHERE id = ? AND user_id = ?`
- Audit log for all admin actions

## Rate Limiting
- Authentication endpoints: 5 requests / minute / IP
- General API: 100 requests / minute / authenticated user
- Public endpoints: 20 requests / minute / IP
- Return `Retry-After` header with 429 responses

## Input Validation
- Validate before processing — reject at the boundary
- Allowlist validation (specific format) over blocklist (known bad)
- File uploads: validate MIME type, extension, and file magic bytes
- JSON: reject unknown fields (`DisallowUnknownFields` in Go)

## Security Headers
```
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=()
```