From 07bcfede75cd1363fbfe9c711af5b31ee6694256 Mon Sep 17 00:00:00 2001
From: Sam <sam@geyskens.eu>
Date: Sat, 28 Feb 2026 14:47:33 +0100
Subject: [PATCH] Add more security and audit

---
 .env.example             |   4 +
 SECURITY.md              |  89 ++++++++++++++++++++++
 backend/Dockerfile       |  10 ++-
 backend/app.py           | 160 ++++++++++++++++++++++++++++++++-------
 backend/models.py        |   3 +-
 backend/requirements.txt |  20 ++---
 backend/routes/admin.py  |   3 +-
 backend/routes/api.py    |  10 ++-
 backend/routes/auth.py   |  26 ++++++-
 docker-compose.yml       |  14 ++++
 nginx/nginx.conf         | 123 +++++++++++++++++++++++-------
 11 files changed, 386 insertions(+), 76 deletions(-)
 create mode 100644 SECURITY.md

diff --git a/.env.example b/.env.example
index a2e5dd1..5d1740a 100644
--- a/.env.example
+++ b/.env.example
@@ -30,6 +30,10 @@ MICROSOFT_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 # Naam van de scholengroep — verschijnt op de loginpagina
 ORG_NAME=GO! Scholengroep 2
 
+# Redis wachtwoord — beschermt de rate limiter state
+# Genereer met: python3 -c "import secrets; print(secrets.token_hex(24))"
+REDIS_PASSWORD=verander_dit_redis_wachtwoord
+
 # Docker image uit de Gitea registry (wordt ingevuld door CI/CD)
 # Lokaal builden: laat leeg of zet op 'leerdoelen-backend:local'
 BACKEND_IMAGE=gitea.jouwdomein.be/jouw-org/leerdoelen-tracker:latest
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..f5caa34
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,89 @@
+# Security beleid
+
+## Kwetsbaarheden melden
+
+Gevonden een beveiligingsprobleem? Stuur een e-mail naar de systeembeheerder van jouw scholengroep.  
+Voeg zo veel mogelijk detail toe: stappen om te reproduceren, impact, en eventueel een proof-of-concept.
+
+Publiceer kwetsbaarheden **niet** publiek voordat ze zijn opgelost.
+
+---
+
+## Beveiligingsmaatregelen in deze applicatie
+
+### Authenticatie
+- Primaire login via Microsoft Entra ID (Azure AD) — geen wachtwoorden opgeslagen voor gewone gebruikers
+- Superadmin wachtwoord gehasht met **scrypt** (sterk geheugenintensief algoritme)
+- OAuth2 state parameter validatie — beschermt tegen CSRF in OAuth flow
+- `?next=` redirect parameter gevalideerd — beschermt tegen open redirect aanvallen
+- Session cookies: `HttpOnly`, `Secure` (HTTPS), `SameSite=Lax`
+
+### Rate limiting
+| Endpoint | Limiet |
+|----------|--------|
+| Alle `/auth/*` routes | 10 per minuut per IP |
+| Superadmin login | 10/min + 30/uur per IP |
+| API endpoints | 120 per minuut per IP |
+| Doelen upload | 5 per minuut per IP |
+| Setup endpoint | 5 per minuut per IP |
+
+Rate limiting via **Redis** (persistent over meerdere workers).  
+Nginx voegt een extra laag rate limiting toe vóór Flask.
+
+### HTTP Security headers
+Via Flask-Talisman + Nginx:
+- `Content-Security-Policy` — nonce-based, geen unsafe-inline scripts
+- `Strict-Transport-Security` — HSTS 1 jaar, incl. subdomains
+- `X-Frame-Options: DENY` — clickjacking preventie
+- `X-Content-Type-Options: nosniff`
+- `Referrer-Policy: strict-origin-when-cross-origin`
+- `Permissions-Policy` — geen toegang tot camera/microfoon/locatie
+- `form-action: 'self'` — voorkomt form hijacking
+- `base-uri: 'self'` — voorkomt base tag injection
+- `object-src: 'none'` — geen Flash of plugins
+
+### Autorisatie
+- Rolgebaseerde toegangscontrole (superadmin → scholengroep_ict → school_ict → director → teacher)
+- Elke API route heeft expliciete rolauthenticatie decorator
+- School-isolatie: gebruikers kunnen enkel data van hun eigen school zien
+- Auditlog van alle beheerhandelingen
+
+### Database
+- Parameterized queries via SQLAlchemy ORM — geen raw SQL met gebruikersinput
+- Non-root database gebruiker
+- PostgreSQL container niet publiek blootgesteld (intern Docker netwerk)
+
+### Infrastructuur
+- Flask draait als non-root gebruiker (`appuser`) in Docker container
+- Read-only volume mount voor doelen JSON bestanden
+- Redis beveiligd met wachtwoord
+- Backend enkel bereikbaar via `127.0.0.1` (niet publiek)
+- Nginx als reverse proxy met request size limiting en timeouts (Slowloris bescherming)
+
+---
+
+## Dependency updates
+
+Controleer regelmatig op kwetsbaarheden in dependencies:
+
+```bash
+pip install pip-audit
+pip-audit -r backend/requirements.txt
+```
+
+Python base image: pin op specifieke patch versie in `Dockerfile`.  
+Controleer updates op: https://hub.docker.com/_/python
+
+---
+
+## Checklist voor nieuwe deployment
+
+- [ ] `SECRET_KEY` gegenereerd met `python3 -c "import secrets; print(secrets.token_hex(32))"`
+- [ ] `POSTGRES_PASSWORD` sterk en uniek
+- [ ] `REDIS_PASSWORD` ingesteld
+- [ ] `BASE_URL` correct ingesteld op HTTPS URL
+- [ ] SSL/TLS certificaat aanwezig (Let's Encrypt via Certbot)
+- [ ] Microsoft Entra ID app registratie correct geconfigureerd
+- [ ] Superadmin wachtwoord ingesteld via `/auth/setup` (min. 12 tekens)
+- [ ] `/auth/setup` endpoint niet meer toegankelijk na setup (wordt automatisch geblokkeerd)
+- [ ] Firewall: enkel poorten 80 en 443 publiek open
diff --git a/backend/Dockerfile b/backend/Dockerfile
index 230e767..a6ac10a 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -1,4 +1,7 @@
-FROM python:3.12-slim
+# Pin op een specifieke patch versie voor reproduceerbare builds.
+# Controleer regelmatig op https://hub.docker.com/_/python voor updates.
+# Bij elke Python security patch: versienummer hier bijwerken + opnieuw builden.
+FROM python:3.12.9-slim
 
 WORKDIR /app
 
@@ -8,9 +11,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     gcc \
     && rm -rf /var/lib/apt/lists/*
 
-# Python dependencies
+# Python dependencies — upgrade pip zelf ook voor security fixes
 COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt
 
 # App code + entrypoint (chmod als root, vóór USER switch)
 COPY . .
diff --git a/backend/app.py b/backend/app.py
index 3138d58..6c4e4aa 100644
--- a/backend/app.py
+++ b/backend/app.py
@@ -1,65 +1,168 @@
 import os
-from flask import Flask
+import logging
+from flask import Flask, jsonify, request
 from flask_sqlalchemy import SQLAlchemy
 from flask_login import LoginManager
 from flask_migrate import Migrate
+from flask_limiter import Limiter
+from flask_limiter.util import get_remote_address
+from flask_talisman import Talisman
 from werkzeug.middleware.proxy_fix import ProxyFix
 
-db = SQLAlchemy()
+logger = logging.getLogger(__name__)
+
+db            = SQLAlchemy()
 login_manager = LoginManager()
-migrate = Migrate()
+migrate       = Migrate()
+limiter       = Limiter(key_func=get_remote_address, default_limits=[])
 
 
 def create_app():
     app = Flask(__name__, template_folder='templates', static_folder='static')
 
-    # Config
-    app.config['SECRET_KEY'] = os.environ['SECRET_KEY']
-    app.config['SQLALCHEMY_DATABASE_URI'] = os.environ['DATABASE_URL']
+    # ── Config ────────────────────────────────────────────────────────────────
+    app.config['SECRET_KEY']                  = os.environ['SECRET_KEY']
+    app.config['SQLALCHEMY_DATABASE_URI']     = os.environ['DATABASE_URL']
     app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
-    app.config['BASE_URL'] = os.environ.get('BASE_URL', 'http://localhost')
-    app.config['ORG_NAME']  = os.environ.get('ORG_NAME', 'GO! Scholengroep')
+    app.config['BASE_URL']                    = os.environ.get('BASE_URL', 'http://localhost')
+    app.config['ORG_NAME']                    = os.environ.get('ORG_NAME', 'GO! Scholengroep')
 
-    # OAuth2 config (voor later)
-    app.config['MICROSOFT_CLIENT_ID'] = os.environ.get('MICROSOFT_CLIENT_ID')
-    app.config['MICROSOFT_CLIENT_SECRET'] = os.environ.get('MICROSOFT_CLIENT_SECRET')
-    app.config['MICROSOFT_TENANT_ID'] = os.environ.get('MICROSOFT_TENANT_ID', 'common')
-    app.config['GOOGLE_CLIENT_ID'] = os.environ.get('GOOGLE_CLIENT_ID')
-    app.config['GOOGLE_CLIENT_SECRET'] = os.environ.get('GOOGLE_CLIENT_SECRET')
+    # OAuth2
+    app.config['MICROSOFT_CLIENT_ID']         = os.environ.get('MICROSOFT_CLIENT_ID')
+    app.config['MICROSOFT_CLIENT_SECRET']     = os.environ.get('MICROSOFT_CLIENT_SECRET')
+    app.config['MICROSOFT_TENANT_ID']         = os.environ.get('MICROSOFT_TENANT_ID', 'common')
 
-    # ProxyFix: Flask zit achter nginx als reverse proxy.
-    # x_for=1, x_proto=1 zorgt dat Flask de echte client IP en https ziet.
+    # Session cookie beveiliging
+    is_https = app.config['BASE_URL'].startswith('https')
+    app.config['SESSION_COOKIE_SECURE']    = is_https
+    app.config['SESSION_COOKIE_HTTPONLY']  = True
+    app.config['SESSION_COOKIE_SAMESITE']  = 'Lax'     # Lax ipv Strict: compatibel met OAuth redirect
+    app.config['REMEMBER_COOKIE_SECURE']   = is_https
+    app.config['REMEMBER_COOKIE_HTTPONLY'] = True
+    app.config['REMEMBER_COOKIE_SAMESITE'] = 'Lax'
+    app.config['REMEMBER_COOKIE_DURATION'] = 86400 * 8  # 8 dagen max (was: onbeperkt)
+
+    # ── Rate limit handler ───────────────────────────────────────────────────
+    def _rate_limit_handler(e):
+        logger.warning(
+            f"Rate limit overschreden: {request.method} {request.path} "
+            f"van {request.remote_addr}"
+        )
+        return jsonify({
+            'error': 'Te veel verzoeken. Probeer later opnieuw.',
+            'retry_after': e.retry_after,
+        }), 429
+
+    # ── ProxyFix (Flask zit achter nginx) ────────────────────────────────────
     app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1)
 
-    # Extensions
+    # ── Rate limiter ──────────────────────────────────────────────────────────
+    redis_url = os.environ.get('REDIS_URL', '')
+    if not redis_url:
+        logger.warning(
+            "REDIS_URL niet ingesteld — rate limiter gebruikt in-memory storage. "
+            "Dit werkt NIET correct met meerdere gunicorn workers! "
+            "Stel REDIS_URL in voor productie."
+        )
+        redis_url = 'memory://'
+    limiter.init_app(
+        app,
+        storage_uri=redis_url,
+        strategy='fixed-window-elastic-expiry',  # robuuster dan fixed-window
+        on_breach=_rate_limit_handler,
+    )
+
+    # ── Security headers via Talisman ─────────────────────────────────────────
+    # CSP: strikte whitelist — geen inline scripts, geen externe resources buiten cdnjs
+    # CSP: nonce-based voor scripts (Talisman injecteert {{ csp_nonce() }} in templates)
+    # unsafe-inline is uitgeschakeld voor scripts — gebruik {{ csp_nonce() }} in <script> tags
+    csp = {
+        'default-src':  ["'self'"],
+        'script-src':   ["'self'", 'cdnjs.cloudflare.com'],   # nonce wordt auto toegevoegd
+        'style-src':    ["'self'", "'unsafe-inline'"],         # inline styles in templates (aanvaardbaar)
+        'img-src':      ["'self'", 'data:'],
+        'font-src':     ["'self'"],
+        'connect-src':  ["'self'"],
+        'form-action':  ["'self'"],                             # voorkomt form hijacking
+        'base-uri':     ["'self'"],                             # voorkomt base tag injection
+        'frame-ancestors': ["'none'"],                          # clickjacking preventie
+        'object-src':   ["'none'"],                             # geen Flash/plugins
+    }
+    Talisman(
+        app,
+        force_https=is_https,
+        strict_transport_security=is_https,
+        strict_transport_security_max_age=31536000,          # 1 jaar HSTS
+        strict_transport_security_include_subdomains=True,
+        strict_transport_security_preload=False,             # alleen aanvragen als je zeker bent
+        content_security_policy=csp,
+        content_security_policy_nonce_in=['script-src'],     # nonce auto toegevoegd aan script tags
+        x_content_type_options=True,
+        x_frame_options='DENY',
+        referrer_policy='strict-origin-when-cross-origin',
+        feature_policy={                                     # moderne vervanger van Permissions-Policy
+            'geolocation': ''none'',
+            'microphone':  ''none'',
+            'camera':      ''none'',
+        }
+    )
+
+    # ── Extensions ────────────────────────────────────────────────────────────
     db.init_app(app)
     migrate.init_app(app, db)
     login_manager.init_app(app)
-    login_manager.login_view = 'auth.login'
+    login_manager.login_view    = 'auth.login'
     login_manager.login_message = 'Gelieve in te loggen.'
 
-    # Import models (zodat Flask-Migrate ze kent)
-    from models import User, School, SchoolYear, Class, TeacherClass, Assessment
+    # Import models zodat Flask-Migrate ze kent
+    from models import User, School, SchoolYear, Class, TeacherClass, Assessment, AuditLog
 
     @login_manager.user_loader
     def load_user(user_id):
         return User.query.get(int(user_id))
 
-    # Blueprints registreren
-    from routes.auth import auth_bp
-    from routes.api import api_bp
+    @login_manager.unauthorized_handler
+    def unauthorized():
+        if request.is_json or request.path.startswith('/api/') or request.path.startswith('/admin/'):
+            return jsonify({'error': 'Niet ingelogd'}), 401
+        from flask import redirect, url_for
+        return redirect(url_for('auth.login'))
+
+    # ── Globale error handlers ───────────────────────────────────────────────
+    from flask_limiter.errors import RateLimitExceeded
+    @app.errorhandler(RateLimitExceeded)
+    def handle_rate_limit(e):
+        return _rate_limit_handler(e)
+
+    @app.errorhandler(404)
+    def not_found(e):
+        if request.is_json or request.path.startswith(('/api/', '/admin/')):
+            return jsonify({'error': 'Niet gevonden'}), 404
+        from flask import redirect, url_for
+        return redirect(url_for('auth.login'))
+
+    @app.errorhandler(500)
+    def server_error(e):
+        logger.error(f"500 fout: {e}", exc_info=True)
+        if request.is_json or request.path.startswith(('/api/', '/admin/')):
+            return jsonify({'error': 'Serverfout — probeer later opnieuw'}), 500
+        return redirect(url_for('auth.login'))
+
+    # ── Blueprints ────────────────────────────────────────────────────────────
+    from routes.auth  import auth_bp
+    from routes.api   import api_bp
     from routes.admin import admin_bp
     from routes.pages import pages_bp
 
-    app.register_blueprint(auth_bp, url_prefix='/auth')
-    app.register_blueprint(api_bp, url_prefix='/api')
+    app.register_blueprint(auth_bp,  url_prefix='/auth')
+    app.register_blueprint(api_bp,   url_prefix='/api')
     app.register_blueprint(admin_bp, url_prefix='/admin')
     app.register_blueprint(pages_bp)
 
-    # ── Auditlog cleanup (1 jaar bewaren) ─────────────────────────────────────
+    # ── CLI commando's ────────────────────────────────────────────────────────
     @app.cli.command('cleanup-audit')
     def cleanup_audit():
-        """Verwijder auditlog entries ouder dan 1 jaar. Voer uit via cron of handmatig."""
+        """Verwijder auditlog entries ouder dan 1 jaar."""
         from models import AuditLog
         from datetime import datetime, timedelta
         cutoff  = datetime.utcnow() - timedelta(days=365)
@@ -73,4 +176,5 @@ def create_app():
 app = create_app()
 
 if __name__ == '__main__':
-    app.run(debug=True, host='0.0.0.0', port=5000)
+    # Nooit debug=True in productie — gebruik gunicorn via entrypoint.sh
+    app.run(debug=False, host='127.0.0.1', port=5000)
diff --git a/backend/models.py b/backend/models.py
index 29bfdd4..6600c6e 100644
--- a/backend/models.py
+++ b/backend/models.py
@@ -106,7 +106,8 @@ class User(UserMixin, db.Model):
     def is_teacher(self):         return self.role == 'teacher'
 
     def set_password(self, password):
-        self.password_hash = generate_password_hash(password)
+        # scrypt is het sterkste algoritme in werkzeug — veel meer weerstand tegen brute force
+        self.password_hash = generate_password_hash(password, method='scrypt')
 
     def check_password(self, password):
         if not self.password_hash:
diff --git a/backend/requirements.txt b/backend/requirements.txt
index f22efd4..05d31ea 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -1,12 +1,14 @@
-flask==3.0.3
+flask==3.1.1
 flask-login==0.6.3
 flask-sqlalchemy==3.1.1
-flask-migrate==4.0.7
-flask-cors==4.0.1
-psycopg2-binary==2.9.9
-gunicorn==22.0.0
-python-dotenv==1.0.1
-werkzeug==3.0.3
-sqlalchemy==2.0.31
-authlib==1.3.1        # OAuth2 (Microsoft + Google, later)
+flask-migrate==4.1.0
+flask-limiter==3.9.0        # rate limiting
+flask-talisman==1.1.0       # security headers (CSP, HSTS, X-Frame-Options, ...)
+psycopg2-binary==2.9.10
+gunicorn==23.0.0
+python-dotenv==1.1.0
+werkzeug==3.1.3
+sqlalchemy==2.0.41
+authlib==1.4.1
 requests==2.32.3
+redis==5.2.1                # backend voor flask-limiter in productie
diff --git a/backend/routes/admin.py b/backend/routes/admin.py
index ce3985c..a5a811e 100644
--- a/backend/routes/admin.py
+++ b/backend/routes/admin.py
@@ -303,8 +303,7 @@ def add_scholengroep_ict():
     db.session.add(user)
     db.session.flush()
     audit_log('user.create', 'user', target_type='user', target_id=str(user.id),
-              detail={'email': email, 'role': user.role, 'school_id': school_id},
-              school_id=school_id)
+              detail={'email': email, 'role': user.role})
     db.session.commit()
     return jsonify({'user': user.to_dict()}), 201
 
diff --git a/backend/routes/api.py b/backend/routes/api.py
index 87c6fa8..fb967d7 100644
--- a/backend/routes/api.py
+++ b/backend/routes/api.py
@@ -2,10 +2,10 @@ from datetime import datetime
 from flask import Blueprint, jsonify, request
 from flask_login import login_required, current_user
 from models import User, SchoolYear, Assessment, School, Class, AuditLog
-from app import db
 from services.doelen import load_index, load_vak, is_valid_vak_id
 from services.audit import audit_log
 from functools import wraps
+from app import db, limiter
 
 api_bp = Blueprint('api', __name__)
 
@@ -71,6 +71,7 @@ def get_assessments():
 
 @api_bp.route('/assessments', methods=['POST'])
 @login_required
+@limiter.limit('120 per minute')  # max 2 per seconde per gebruiker
 def save_assessment():
     data    = request.get_json() or {}
     vak_id  = (data.get('vak_id') or '').strip()
@@ -81,6 +82,9 @@ def save_assessment():
         return jsonify({'error': 'vak_id en goal_id zijn verplicht'}), 400
     if status not in ('groen', 'oranje', 'roze', ''):
         return jsonify({'error': 'Ongeldige status — gebruik groen, oranje, roze of leeg'}), 400
+    # Sanitiseer input — voorkomt oversized data in DB
+    if len(vak_id) > 100 or len(goal_id) > 50:
+        return jsonify({'error': 'Ongeldige invoer'}), 400
     if not current_user.school_id:
         return jsonify({'error': 'Account is nog niet gekoppeld aan een school'}), 400
 
@@ -283,8 +287,8 @@ def get_audit_log():
     if not current_user.is_school_ict:
         return jsonify({'error': 'Geen toegang'}), 403
 
-    page      = int(request.args.get('page', 1))
-    per_page  = int(request.args.get('per_page', 50))
+    page      = max(1, int(request.args.get('page', 1)))
+    per_page  = min(100, max(1, int(request.args.get('per_page', 50))))  # max 100 per pagina
     category  = request.args.get('category')
     search    = request.args.get('search', '').strip()
 
diff --git a/backend/routes/auth.py b/backend/routes/auth.py
index 82e429f..9496324 100644
--- a/backend/routes/auth.py
+++ b/backend/routes/auth.py
@@ -15,19 +15,33 @@ import os
 import secrets
 import logging
 from datetime import datetime
-from urllib.parse import urlencode
+from urllib.parse import urlencode, urlparse
 
 import requests
 from services.audit import audit_log
+from app import db, limiter
 from flask import (Blueprint, render_template, request, redirect,
                    url_for, flash, jsonify, session, current_app)
 from flask_login import login_user, logout_user, login_required, current_user
 from models import User, School
-from app import db
 
 logger   = logging.getLogger(__name__)
 auth_bp  = Blueprint('auth', __name__)
 
+
+def _safe_next_url(next_url: str | None) -> str:
+    """Valideer dat de next-redirect intern blijft — voorkomt open redirect aanvallen."""
+    if not next_url:
+        return url_for('pages.dashboard')
+    parsed = urlparse(next_url)
+    # Weiger externe URLs (heeft netloc) of protocol-relative URLs
+    if parsed.netloc or parsed.scheme:
+        return url_for('pages.dashboard')
+    # Zorg dat het pad begint met /
+    if not next_url.startswith('/'):
+        return url_for('pages.dashboard')
+    return next_url
+
 ENTRA_AUTHORITY    = "https://login.microsoftonline.com/common"
 ENTRA_AUTH_URL     = f"{ENTRA_AUTHORITY}/oauth2/v2.0/authorize"
 ENTRA_TOKEN_URL    = f"{ENTRA_AUTHORITY}/oauth2/v2.0/token"
@@ -117,6 +131,7 @@ def logout():
 
 
 @auth_bp.route('/microsoft')
+@limiter.limit('20 per minute')
 def microsoft_login():
     if not _entra_client_id():
         flash('Microsoft login is niet geconfigureerd.', 'error')
@@ -138,6 +153,7 @@ def microsoft_login():
 
 
 @auth_bp.route('/callback')
+@limiter.limit('20 per minute')
 def microsoft_callback():
     error = request.args.get('error')
     if error:
@@ -220,10 +236,11 @@ def microsoft_callback():
     db.session.commit()
 
     logger.info(f"Entra login: {email} (nieuw: {is_new}, school_id: {user.school_id})")
-    return redirect(request.args.get('next') or url_for('pages.dashboard'))
+    return redirect(_safe_next_url(request.args.get('next')))
 
 
 @auth_bp.route('/setup', methods=['GET', 'POST'])
+@limiter.limit('5 per minute')
 def setup():
     admin = User.query.filter_by(role='superadmin').first()
     if admin and admin.password_hash:
@@ -252,7 +269,7 @@ def setup():
                          first_name='Super', last_name='Admin')
             db.session.add(admin)
 
-        admin.set_password(password)
+        admin.set_password(password)  # pbkdf2:sha256 — zie models.py voor hash methode
         db.session.commit()
 
         if request.is_json:
@@ -264,6 +281,7 @@ def setup():
 
 
 @auth_bp.route('/superadmin-login', methods=['POST'])
+@limiter.limit('10 per minute; 30 per hour')
 def superadmin_login():
     """Fallback login ENKEL voor de superadmin — niet voor gewone gebruikers."""
     if current_user.is_authenticated:
diff --git a/docker-compose.yml b/docker-compose.yml
index 4a75a33..aad78fd 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,6 +18,17 @@ services:
       timeout: 5s
       retries: 5
 
+  redis:
+    image: redis:7-alpine
+    container_name: leerdoelen_redis
+    restart: unless-stopped
+    command: redis-server --save "" --appendonly no --maxmemory 64mb --maxmemory-policy allkeys-lru --requirepass ${REDIS_PASSWORD:-changeme_redis}
+    healthcheck:
+      test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD:-changeme_redis}", "ping"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+
   backend:
     # In productie: image uit de Gitea registry (gezet door CI/CD pipeline)
     # Lokaal ontwikkelen: verander naar 'build: ./backend'
@@ -40,6 +51,7 @@ services:
       GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET:-}
       BASE_URL: ${BASE_URL:-http://localhost}
       ORG_NAME: ${ORG_NAME:-GO! Scholengroep}
+      REDIS_URL: redis://:${REDIS_PASSWORD:-changeme_redis}@redis:6379/0
     volumes:
       - ./doelen:/app/doelen:ro   # JSON doelen bestanden (read-only)
     ports:
@@ -47,6 +59,8 @@ services:
     depends_on:
       db:
         condition: service_healthy
+      redis:
+        condition: service_healthy
 
   # Nginx container verwijderd — SSL offloading gebeurt door de host nginx.
   # Flask is bereikbaar op 127.0.0.1:${APP_PORT} van de host.
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 17fd5e7..c914eeb 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -8,56 +8,127 @@ http {
 
     # Logging
     access_log /var/log/nginx/access.log;
-    error_log  /var/log/nginx/error.log;
+    error_log  /var/log/nginx/error.log warn;
+
+    # Verberg nginx versie
+    server_tokens off;
 
     # Gzip
     gzip on;
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml;
+    gzip_min_length 1000;
 
-    # Rate limiting
-    limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;
-    limit_req_zone $binary_remote_addr zone=api:10m   rate=60r/m;
+    # ── Rate limiting zones ────────────────────────────────────────────────────
+    # Auth endpoints: login, OAuth flow, superadmin — streng
+    limit_req_zone $binary_remote_addr zone=auth:10m    rate=10r/m;
+    # API endpoints — soepeler voor normale interactie
+    limit_req_zone $binary_remote_addr zone=api:10m     rate=120r/m;
+    # Upload endpoint — apart beperkt
+    limit_req_zone $binary_remote_addr zone=upload:10m  rate=5r/m;
+    # Algemeen — vangt alles op wat niet specifiek gelimiteerd is
+    limit_req_zone $binary_remote_addr zone=general:10m rate=60r/m;
+
+    # Geef 429 terug bij rate limit (ipv standaard 503)
+    limit_req_status 429;
 
     upstream flask {
         server backend:5000;
+        keepalive 32;
     }
 
     server {
         listen 80;
         server_name _;
 
-        # Security headers
-        add_header X-Frame-Options       "SAMEORIGIN"   always;
-        add_header X-Content-Type-Options "nosniff"      always;
-        add_header X-XSS-Protection      "1; mode=block" always;
+        # ── Security headers ───────────────────────────────────────────────────
+        # Talisman (Flask) voegt HSTS en CSP toe — nginx vult aan met de rest
+        add_header X-Frame-Options        "DENY"            always;
+        add_header X-Content-Type-Options "nosniff"         always;
+        add_header X-XSS-Protection       "1; mode=block"   always;
+        add_header Referrer-Policy        "strict-origin-when-cross-origin" always;
+        add_header Permissions-Policy     "geolocation=(), microphone=(), camera=()" always;
 
+        # Maximale upload grootte (voor doelen JSON bestanden)
         client_max_body_size 10M;
 
-        # Rate limiting op login
-        location /auth/login {
-            limit_req zone=login burst=5 nodelay;
-            proxy_pass         http://flask;
-            proxy_set_header   Host $host;
-            proxy_set_header   X-Real-IP $remote_addr;
-            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        # Timeouts — voorkomt Slowloris aanvallen
+        client_body_timeout   12s;
+        client_header_timeout 12s;
+        send_timeout          10s;
+        keepalive_timeout     65s;
+
+        # ── Auth endpoints — strenge rate limiting ─────────────────────────────
+        # Dekt login, OAuth start, OAuth callback en superadmin login
+        location ~ ^/auth/ {
+            limit_req zone=auth burst=8 nodelay;
+            limit_req_log_level warn;
+
+            proxy_pass             http://flask;
+            proxy_set_header Host              $host;
+            proxy_set_header X-Real-IP         $remote_addr;
+            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
         }
 
-        # Rate limiting op API
+        # ── Upload endpoint — extra streng ─────────────────────────────────────
+        location /admin/doelen/upload {
+            limit_req zone=upload burst=2 nodelay;
+
+            client_max_body_size 50M;  # grotere bestanden toegestaan hier
+            proxy_pass             http://flask;
+            proxy_set_header Host              $host;
+            proxy_set_header X-Real-IP         $remote_addr;
+            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_read_timeout 120s;
+        }
+
+        # ── API endpoints ──────────────────────────────────────────────────────
         location /api/ {
-            limit_req zone=api burst=20 nodelay;
-            proxy_pass         http://flask;
-            proxy_set_header   Host $host;
-            proxy_set_header   X-Real-IP $remote_addr;
-            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+            limit_req zone=api burst=30 nodelay;
+
+            proxy_pass             http://flask;
+            proxy_set_header Host              $host;
+            proxy_set_header X-Real-IP         $remote_addr;
+            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
         }
 
-        # Alle andere requests
+        # ── Admin endpoints ────────────────────────────────────────────────────
+        location /admin/ {
+            limit_req zone=general burst=20 nodelay;
+
+            proxy_pass             http://flask;
+            proxy_set_header Host              $host;
+            proxy_set_header X-Real-IP         $remote_addr;
+            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+        }
+
+        # ── Alle andere requests ───────────────────────────────────────────────
         location / {
-            proxy_pass         http://flask;
-            proxy_set_header   Host $host;
-            proxy_set_header   X-Real-IP $remote_addr;
-            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+            limit_req zone=general burst=20 nodelay;
+
+            proxy_pass             http://flask;
+            proxy_set_header Host              $host;
+            proxy_set_header X-Real-IP         $remote_addr;
+            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
             proxy_read_timeout 60s;
         }
+
+        # ── Blokkeer toegang tot verborgen bestanden (.git, .env, ...) ─────────
+        location ~ /\. {
+            deny all;
+            return 404;
+        }
     }
 }