API Security
Rate Limiting
HeySummon implements per-IP rate limiting with three tiers:
| Endpoint | Limit | Window |
|---|---|---|
| General pages | 60 req/min | 1 minute |
API v1 (/api/v1/*) | 30 req/min | 1 minute |
Polling (GET /api/v1/help/:id) | 20 req/min | 1 minute |
Exceeded limits return 429 Too Many Requests with a Retry-After: 60 header.
Rate limiting is in-memory and resets on server restart. For production, consider replacing with Redis-backed rate limiting.
CORS
Cross-origin requests are restricted to configured origins:
const allowedOrigins = [
process.env.NEXTAUTH_URL || "http://localhost:3000",
"https://heysummon.ai",
"https://provider.hitlaas.thomasansems.nl",
];Allowed methods: GET, POST, PUT, DELETE, OPTIONS
Allowed headers: Content-Type, Authorization, x-api-key
Preflight cache: 86400 seconds (24 hours)
Security Headers
Configured via next.config.ts:
- HSTS — Strict-Transport-Security
- X-Frame-Options — DENY (prevents clickjacking)
- Content-Security-Policy — restricts resource loading
- X-Content-Type-Options — nosniff
- Referrer-Policy — origin-when-cross-origin
Request Size Limit
Maximum request body: 1 MB. Larger requests return 413 Request Entity Too Large.
API Key Validation
- API keys are validated using timing-safe comparison (resistant to timing attacks)
- Keys are hashed before storage
- Keys use the
hs_prefix for easy identification
Authentication
Consumer (API v1)
- API key in request body (
apiKeyfield) - Polling endpoint optionally accepts
x-api-keyheader (logs warning if absent)
Provider (Dashboard API)
- OAuth session cookie (GitHub or Google)
- Unauthenticated dashboard access redirects to
/auth/login - Authenticated users on
/auth/*redirect to/dashboard