Sessions & Security

Tracera uses Redis-backed server-side sessions with comprehensive security middleware.

Session Management

Sessions are managed by SCS (alexedwards/scs) with a Redis store.

Session Lifecycle

Event	Behavior
Login	New session created, user ID stored, secure cookie set
Request	Session loaded from Redis via cookie, user context injected
Logout	Session destroyed in Redis, cookie cleared
Expiry	Sessions automatically expire after the configured lifetime

Configuration

Variable	Default	Description
`SESSION_SECRET`	(required)	Signing key for session cookies. Minimum 32 bytes.
`SESSION_LIFETIME_HOURS`	`72`	Session duration in hours
`SESSION_COOKIE_SECURE`	Auto-detected	Set `true` for HTTPS. Auto-derived from `BASE_URL` scheme.

Generate a session secret:

openssl rand -base64 32

Attribute	Value
`HttpOnly`	`true` — not accessible via JavaScript
`SameSite`	`Lax` — CSRF protection for top-level navigations
`Secure`	`true` when `BASE_URL` uses HTTPS
`Path`	`/`

Security Middleware

RequireAuth

Protects endpoints that require an authenticated user. Returns 401 Unauthorized if no valid session exists. Applied to:

POST /api/v1/auth/logout
GET /api/v1/auth/providers
GET /api/v1/auth/steam (account linking)
GET /api/v1/portfolio
POST /api/v1/portfolio/import

CSRF Protection

State-changing endpoints require a CSRF token:

Client fetches token via GET /api/v1/auth/csrf
Token is included in X-CSRF-Token header on POST requests
Backend validates token matches the session

Rate Limiting

Authentication endpoints are rate-limited to 20 requests per minute per IP address. This prevents:

Brute-force login attempts
Magic link request flooding
OAuth callback abuse

Security Headers

Every response includes:

Header	Value	Purpose
`X-Content-Type-Options`	`nosniff`	Prevent MIME sniffing
`X-Frame-Options`	`DENY`	Prevent clickjacking
`Referrer-Policy`	`strict-origin-when-cross-origin`	Control referrer leakage
`X-XSS-Protection`	`1; mode=block`	XSS filtering

The Next.js frontend adds additional security headers including Content Security Policy (CSP) and Strict-Transport-Security (HSTS).

Getting Started

Authentication

Database

Frontend

Configuration

Deployment

Development

Vision

Sessions & Security

Sessions & Security

Session Management

Session Lifecycle

Configuration

Security Middleware

RequireAuth

CSRF Protection

Rate Limiting

Security Headers

Getting Started

Authentication

Database

Frontend

Configuration

Deployment

Development

Vision

​Sessions & Security

​Session Management

​Session Lifecycle

​Configuration

​Cookie Attributes

​Security Middleware

​RequireAuth

​CSRF Protection

​Rate Limiting

​Security Headers

Sessions & Security

Session Management

Session Lifecycle

Configuration

Cookie Attributes

Security Middleware

RequireAuth

CSRF Protection

Rate Limiting

Security Headers