diff --git a/.env.example b/.env.example
index 759ae13..1a0d502 100644
--- a/.env.example
+++ b/.env.example
@@ -6,6 +6,15 @@ LOG_LEVEL=info
 # Required in production. Generate with: openssl rand -hex 32
 COOKIE_SECRET=your_cookie_secret_here
 
+# Set to 1 (or a specific IP/CIDR) when running behind a reverse proxy
+# (Nginx, Caddy, Traefik) so Express trusts X-Forwarded-For/Proto.
+# Leave unset if sofarr is exposed directly.
+# TRUST_PROXY=1
+
+# Directory for persistent data (SQLite token store + logs)
+# Defaults to ./data relative to project root
+# DATA_DIR=/app/data
+
 # Background polling interval in ms (default: 5000)
 # Set to 0 or "off" to disable and fetch on-demand instead
 # POLL_INTERVAL=5000
diff --git a/.env.sample b/.env.sample
index ec72b95..4618eea 100644
--- a/.env.sample
+++ b/.env.sample
@@ -19,6 +19,21 @@ LOG_LEVEL=info
 # Generate with: openssl rand -hex 32
 COOKIE_SECRET=your-cookie-secret-here
 
+# =============================================================================
+# REVERSE PROXY & DEPLOYMENT
+# =============================================================================
+
+# Set to 1 when running behind a reverse proxy (Nginx, Caddy, Traefik).
+# This makes Express trust X-Forwarded-For and X-Forwarded-Proto so that
+# req.ip reflects the real client IP and cookies are marked secure correctly.
+# Leave unset if sofarr is exposed directly to the internet.
+# TRUST_PROXY=1
+
+# Directory for persistent data (SQLite token store, server logs).
+# Must be writable by the process user (UID 1000 in the container).
+# Defaults to ./data relative to the project root.
+# DATA_DIR=/app/data
+
 # Background polling interval in milliseconds (default: 5000)
 # sofarr polls all services in the background and caches results so
 # dashboard requests are near-instant.
diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index d3c7579..be7202b 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   audit:
-    name: npm audit
+    name: Security audit
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -16,11 +16,15 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: "18"
+          node-version: "22"
           cache: "npm"
 
       - name: Install dependencies
         run: npm ci
 
-      - name: Run security audit
-        run: npm audit --audit-level=moderate
+      - name: Run security audit (fail on high+)
+        run: npm audit --audit-level=high
+
+      - name: Check for critical vulnerabilities
+        run: npm audit --audit-level=critical --json | jq -e '.metadata.vulnerabilities.critical == 0' || (echo "Critical vulnerabilities found!" && exit 1)
+        continue-on-error: false
diff --git a/.gitignore b/.gitignore
index 606e68a..23fe371 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,7 @@ build/
 .DS_Store
 *.log
 **/*.log
+data/
+*.db
+*.db-wal
+*.db-shm
diff --git a/Dockerfile b/Dockerfile
index 87f7a89..e5acf2d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,18 @@
-FROM node:18-alpine
+# ---------------------------------------------------------------------------
+# Stage 1 — deps: install production dependencies only
+# ---------------------------------------------------------------------------
+FROM node:22-alpine AS deps
+
+WORKDIR /app
+
+# Copy manifests and install production deps only (no devDependencies)
+COPY package.json package-lock.json ./
+RUN npm ci --omit=dev --ignore-scripts
+
+# ---------------------------------------------------------------------------
+# Stage 2 — runtime image (minimal attack surface)
+# ---------------------------------------------------------------------------
+FROM node:22-alpine AS runtime
 
 LABEL org.opencontainers.image.title="sofarr"
 LABEL org.opencontainers.image.description="Personal media download dashboard for *arr services"
@@ -9,18 +23,31 @@ LABEL org.opencontainers.image.vendor="Gordon Bolton"
 LABEL org.opencontainers.image.licenses="MIT"
 LABEL custom.hardware.requirement="None - runs on any Docker-supported platform including ARM and x86_64"
 
+# Use the built-in non-root 'node' user (UID 1000) from the official image
+# The /app directory is owned by root; data directory is owned by node
 WORKDIR /app
 
-# Copy package files and install dependencies
-COPY package.json package-lock.json ./
-RUN npm ci --omit=dev
+# Copy production deps from deps stage
+COPY --from=deps /app/node_modules ./node_modules
 
-# Copy application source
-COPY server/ ./server/
-COPY public/ ./public/
+# Copy application source owned by root (read-only at runtime)
+COPY --chown=root:root server/ ./server/
+COPY --chown=root:root public/ ./public/
+COPY --chown=root:root package.json ./
+
+# Persistent data directory owned by node user (SQLite token store, logs)
+RUN mkdir -p /app/data && chown node:node /app/data
+
+ENV NODE_ENV=production
+ENV DATA_DIR=/app/data
+
+# Drop to non-root user for all subsequent operations
+USER node
 
 EXPOSE 3001
 
-ENV NODE_ENV=production
+# HEALTHCHECK — Docker will restart the container if this fails 3 times
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD wget -qO- http://localhost:3001/health || exit 1
 
 CMD ["node", "server/index.js"]
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..406188f
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,148 @@
+# Security Policy & Hardening Guide
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 0.2.x   | ✅ Yes    |
+| 0.1.x   | ❌ No     |
+
+## Reporting a Vulnerability
+
+Please **do not** open a public issue for security vulnerabilities.
+Email: gordon@i3omb.com — expect acknowledgement within 48 hours.
+
+---
+
+## Threat Model
+
+sofarr is a personal dashboard intended for a small trusted group (household/team).
+It proxies requests to *arr stack services using stored API keys and authenticates
+users via Emby. The primary threat surface when exposed to the public internet:
+
+| Threat | Mitigations |
+|--------|-------------|
+| Credential brute-force | Rate limiting (10 fails/15 min per IP), account lockout window |
+| Session hijacking | HMAC-signed cookies, `httpOnly`, `secure`, `sameSite=strict`, short TTL |
+| CSRF | Double-submit cookie pattern (`X-CSRF-Token` header required on all mutations) |
+| API key leakage via errors | `sanitizeError()` redacts keys/tokens from all error responses and logs |
+| Token theft after logout | Server-side token store; Emby token revoked on logout |
+| XSS → token theft | `httpOnly` cookies; CSP with per-request nonce blocks inline injection |
+| Clickjacking | `X-Frame-Options: DENY` + CSP `frame-ancestors 'none'` |
+| Info disclosure via headers | Helmet v7 removes `X-Powered-By`, sets `noSniff`, `xssFilter`, etc. |
+| Privilege escalation (container) | Non-root user (UID 1000), `no-new-privileges`, all caps dropped |
+| Unbounded log growth | Size-based rotation: 10 MB cap, 3 rotated files kept |
+| Dependency vulnerabilities | `npm audit --audit-level=high` in CI on every push |
+
+---
+
+## Production Deployment Checklist
+
+### Required
+
+- [ ] `COOKIE_SECRET` set to a random 32-byte hex string (`openssl rand -hex 32`)
+- [ ] `NODE_ENV=production`
+- [ ] `TRUST_PROXY=1` set if behind a reverse proxy
+- [ ] sofarr bound to `127.0.0.1` only (not `0.0.0.0`) — expose via proxy
+- [ ] HTTPS enforced by the reverse proxy with a valid certificate
+- [ ] Firewall rules: only 443/80 open externally; 3001 not directly exposed
+
+### Recommended
+
+- [ ] Reverse proxy: Nginx, Caddy, or Traefik with TLS termination
+- [ ] Set `Strict-Transport-Security` at proxy level (sofarr also sends HSTS)
+- [ ] `DATA_DIR` on a named Docker volume (not bind-mounted to sensitive host path)
+- [ ] Rotate `COOKIE_SECRET` periodically (causes all users to re-login)
+- [ ] Enable Docker's `--read-only` flag (already in `docker-compose.yaml`)
+- [ ] Monitor `/health` endpoint with an uptime checker
+
+### Docker Secrets (alternative to env vars)
+
+For production environments that support Docker secrets, you can mount secret
+files and reference them:
+
+```yaml
+secrets:
+  cookie_secret:
+    file: ./secrets/cookie_secret.txt
+  emby_api_key:
+    file: ./secrets/emby_api_key.txt
+
+services:
+  sofarr:
+    secrets:
+      - cookie_secret
+      - emby_api_key
+    environment:
+      - COOKIE_SECRET_FILE=/run/secrets/cookie_secret
+      - EMBY_API_KEY_FILE=/run/secrets/emby_api_key
+```
+
+> Note: File-based secret loading requires application code support.
+> Currently sofarr reads secrets from environment variables only.
+> Mounting secrets as env vars (via `environment:` in compose) is the
+> current supported approach.
+
+---
+
+## Reverse Proxy Example (Caddy)
+
+```caddy
+sofarr.example.com {
+    reverse_proxy localhost:3001
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Robots-Tag "noindex, nofollow"
+    }
+}
+```
+
+## Reverse Proxy Example (Nginx)
+
+```nginx
+server {
+    listen 443 ssl;
+    server_name sofarr.example.com;
+
+    ssl_certificate     /etc/letsencrypt/live/sofarr.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/sofarr.example.com/privkey.pem;
+
+    location / {
+        proxy_pass http://127.0.0.1:3001;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+---
+
+## Security Headers (emitted by sofarr)
+
+| Header | Value |
+|--------|-------|
+| `Content-Security-Policy` | `default-src 'self'; script-src 'self' 'nonce-…'; style-src 'self' 'nonce-…'; img-src 'self' data: blob:; object-src 'none'; frame-ancestors 'none'` |
+| `Strict-Transport-Security` | `max-age=31536000; includeSubDomains; preload` (production only) |
+| `X-Content-Type-Options` | `nosniff` |
+| `X-Frame-Options` | `DENY` |
+| `Referrer-Policy` | `strict-origin-when-cross-origin` |
+| `Permissions-Policy` | `camera=(), microphone=(), geolocation=(), payment=(), usb=()` |
+
+---
+
+## Rate Limits
+
+| Endpoint | Limit |
+|----------|-------|
+| `POST /api/auth/login` | 10 failed attempts per 15 min per IP |
+| All `/api/*` routes | 300 requests per 15 min per IP |
+
+---
+
+## Supply Chain
+
+- All dependencies pinned to minor version ranges in `package.json`
+- `npm audit --audit-level=high` runs in CI on every push and pull request
+- `npm audit fix` should be run when vulnerabilities are reported
diff --git a/docker-compose.yaml b/docker-compose.yaml
index f352256..145b885 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,17 +1,45 @@
-version: "3"
 services:
   sofarr:
     image: docker.i3omb.com/sofarr:latest
     container_name: sofarr
     restart: unless-stopped
     ports:
-      - "3001:3001"
+      - "127.0.0.1:3001:3001"   # bind to loopback only — expose via reverse proxy
     environment:
       - PORT=3001
+      - NODE_ENV=production
+      - LOG_LEVEL=info
+      # Set to 1 when running behind a reverse proxy (Nginx, Caddy, Traefik)
+      # so Express trusts X-Forwarded-For and X-Forwarded-Proto headers.
+      - TRUST_PROXY=1
+      # --- Replace placeholders with real values or use Docker secrets ---
+      - COOKIE_SECRET=change-me-generate-with-openssl-rand-hex-32
       - EMBY_URL=https://emby.example.com
       - EMBY_API_KEY=your-emby-api-key
       - SONARR_INSTANCES=[{"name":"main","url":"https://sonarr.example.com","apiKey":"your-sonarr-api-key"}]
       - RADARR_INSTANCES=[{"name":"main","url":"https://radarr.example.com","apiKey":"your-radarr-api-key"}]
       - SABNZBD_INSTANCES=[{"name":"main","url":"https://sabnzbd.example.com","apiKey":"your-sabnzbd-api-key"}]
       - QBITTORRENT_INSTANCES=[{"name":"main","url":"https://qbittorrent.example.com","username":"admin","password":"your-password"}]
-      - LOG_LEVEL=info
+    volumes:
+      # Persistent volume for SQLite token store and log file
+      - sofarr-data:/app/data
+    # Run as the built-in non-root 'node' user (UID/GID 1000)
+    user: "1000:1000"
+    # Read-only root filesystem; only the data volume is writable
+    read_only: true
+    tmpfs:
+      - /tmp                    # Node.js needs a writable /tmp
+    security_opt:
+      - no-new-privileges:true  # prevent privilege escalation via setuid binaries
+    cap_drop:
+      - ALL                     # drop all Linux capabilities
+    cap_add: []                 # add back none — Node.js needs no special caps
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:3001/health"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+
+volumes:
+  sofarr-data:
diff --git a/package-lock.json b/package-lock.json
index 63b366e..972df66 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,21 +1,21 @@
 {
   "name": "sofarr",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "sofarr",
-      "version": "0.1.4",
+      "version": "0.1.5",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.6.0",
+        "better-sqlite3": "^9.6.0",
         "cookie-parser": "^1.4.6",
-        "cors": "^2.8.5",
         "dotenv": "^16.3.1",
         "express": "^4.18.2",
-        "express-rate-limit": "^6.7.0",
-        "helmet": "^4.6.0"
+        "express-rate-limit": "^7.5.1",
+        "helmet": "^7.2.0"
       },
       "devDependencies": {
         "concurrently": "^7.6.0",
@@ -142,6 +142,35 @@
         "node": "18 || 20 || >=22"
       }
     },
+    "node_modules/base64-js": {
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz",
+      "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
+    },
+    "node_modules/better-sqlite3": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/better-sqlite3/-/better-sqlite3-9.6.0.tgz",
+      "integrity": "sha512-yR5HATnqeYNVnkaUTf4bOP2dJSnyhP4puJN/QPRyx4YkBEEUxib422n2XzPqDEHjQQqazoYoADdAm5vE15+dAQ==",
+      "hasInstallScript": true,
+      "dependencies": {
+        "bindings": "^1.5.0",
+        "prebuild-install": "^7.1.1"
+      }
+    },
     "node_modules/binary-extensions": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
@@ -154,6 +183,24 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/bindings": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz",
+      "integrity": "sha512-p2q/t/mhvuOj/UeLlV6566GD/guowlr0hHxClI0W9m7MWYkL1F0hLo+0Aexs9HSPCtR1SXQ0TD3MMKrXZajbiQ==",
+      "dependencies": {
+        "file-uri-to-path": "1.0.0"
+      }
+    },
+    "node_modules/bl": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz",
+      "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==",
+      "dependencies": {
+        "buffer": "^5.5.0",
+        "inherits": "^2.0.4",
+        "readable-stream": "^3.4.0"
+      }
+    },
     "node_modules/body-parser": {
       "version": "1.20.5",
       "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.5.tgz",
@@ -201,6 +248,29 @@
         "node": ">=8"
       }
     },
+    "node_modules/buffer": {
+      "version": "5.7.1",
+      "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
+      "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "dependencies": {
+        "base64-js": "^1.3.1",
+        "ieee754": "^1.1.13"
+      }
+    },
     "node_modules/bytes": {
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
@@ -288,6 +358,11 @@
         "fsevents": "~2.3.2"
       }
     },
+    "node_modules/chownr": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz",
+      "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg=="
+    },
     "node_modules/cliui": {
       "version": "8.0.1",
       "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz",
@@ -407,22 +482,6 @@
       "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
       "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA=="
     },
-    "node_modules/cors": {
-      "version": "2.8.6",
-      "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.6.tgz",
-      "integrity": "sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw==",
-      "dependencies": {
-        "object-assign": "^4",
-        "vary": "^1"
-      },
-      "engines": {
-        "node": ">= 0.10"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
     "node_modules/date-fns": {
       "version": "2.30.0",
       "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-2.30.0.tgz",
@@ -447,6 +506,28 @@
         "ms": "2.0.0"
       }
     },
+    "node_modules/decompress-response": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/decompress-response/-/decompress-response-6.0.0.tgz",
+      "integrity": "sha512-aW35yZM6Bb/4oJlZncMH2LCoZtJXTRxES17vE3hoRiowU2kWHaJKFkSBDnDR+cm9J+9QhXmREyIfv0pji9ejCQ==",
+      "dependencies": {
+        "mimic-response": "^3.1.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/deep-extend": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz",
+      "integrity": "sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==",
+      "engines": {
+        "node": ">=4.0.0"
+      }
+    },
     "node_modules/delayed-stream": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
@@ -472,6 +553,14 @@
         "npm": "1.2.8000 || >= 1.4.16"
       }
     },
+    "node_modules/detect-libc": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/dotenv": {
       "version": "16.6.1",
       "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.6.1.tgz",
@@ -515,6 +604,14 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/end-of-stream": {
+      "version": "1.4.5",
+      "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.5.tgz",
+      "integrity": "sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg==",
+      "dependencies": {
+        "once": "^1.4.0"
+      }
+    },
     "node_modules/es-define-property": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
@@ -578,6 +675,14 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/expand-template": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/expand-template/-/expand-template-2.0.3.tgz",
+      "integrity": "sha512-XYfuKMvj4O35f/pOXLObndIRvyQ+/+6AhODh+OKWj9S9498pHHn/IMszH+gt0fBCRWMNfk1ZSp5x3AifmnI2vg==",
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/express": {
       "version": "4.22.2",
       "resolved": "https://registry.npmjs.org/express/-/express-4.22.2.tgz",
@@ -624,16 +729,24 @@
       }
     },
     "node_modules/express-rate-limit": {
-      "version": "6.7.0",
-      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-6.7.0.tgz",
-      "integrity": "sha512-vhwIdRoqcYB/72TK3tRZI+0ttS8Ytrk24GfmsxDXK9o9IhHNO5bXRiXQSExPQ4GbaE5tvIS7j1SGrxsuWs+sGA==",
+      "version": "7.5.1",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.1.tgz",
+      "integrity": "sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==",
       "engines": {
-        "node": ">= 12.9.0"
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/express-rate-limit"
       },
       "peerDependencies": {
-        "express": "^4 || ^5"
+        "express": ">= 4.11"
       }
     },
+    "node_modules/file-uri-to-path": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz",
+      "integrity": "sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw=="
+    },
     "node_modules/fill-range": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
@@ -713,6 +826,11 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/fs-constants": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fs-constants/-/fs-constants-1.0.0.tgz",
+      "integrity": "sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow=="
+    },
     "node_modules/fsevents": {
       "version": "2.3.3",
       "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
@@ -779,6 +897,11 @@
         "node": ">= 0.4"
       }
     },
+    "node_modules/github-from-package": {
+      "version": "0.0.0",
+      "resolved": "https://registry.npmjs.org/github-from-package/-/github-from-package-0.0.0.tgz",
+      "integrity": "sha512-SyHy3T1v2NUXn29OsWdxmK6RwHD+vkj3v8en8AOBZ1wBQ/hCAQ5bAQTD02kW4W9tUp/3Qh6J8r9EvntiyCmOOw=="
+    },
     "node_modules/glob-parent": {
       "version": "5.1.2",
       "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
@@ -848,11 +971,11 @@
       }
     },
     "node_modules/helmet": {
-      "version": "4.6.0",
-      "resolved": "https://registry.npmjs.org/helmet/-/helmet-4.6.0.tgz",
-      "integrity": "sha512-HVqALKZlR95ROkrnesdhbbZJFi/rIVSoNq6f3jA/9u6MIbTsPh3xZwihjeI5+DO/2sOV6HMHooXcEOuwskHpTg==",
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-7.2.0.tgz",
+      "integrity": "sha512-ZRiwvN089JfMXokizgqEPXsl2Guk094yExfoDXR0cBYWxtBbaSww/w+vT4WEJsBW2iTUi1GgZ6swmoug3Oy4Xw==",
       "engines": {
-        "node": ">=10.0.0"
+        "node": ">=16.0.0"
       }
     },
     "node_modules/http-errors": {
@@ -918,6 +1041,25 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/ieee754": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz",
+      "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
+    },
     "node_modules/ignore-by-default": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/ignore-by-default/-/ignore-by-default-1.0.1.tgz",
@@ -929,6 +1071,11 @@
       "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
       "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
     },
+    "node_modules/ini": {
+      "version": "1.3.8",
+      "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz",
+      "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew=="
+    },
     "node_modules/ipaddr.js": {
       "version": "1.9.1",
       "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
@@ -1056,6 +1203,17 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/mimic-response": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/mimic-response/-/mimic-response-3.1.0.tgz",
+      "integrity": "sha512-z0yWI+4FDrrweS8Zmt4Ej5HdJmky15+L2e6Wgn3+iK5fWzb6T3fhNFq2+MeTRb064c6Wr4N/wv0DzQTjNzHNGQ==",
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/minimatch": {
       "version": "10.2.5",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.5.tgz",
@@ -1071,11 +1229,29 @@
         "url": "https://github.com/sponsors/isaacs"
       }
     },
+    "node_modules/minimist": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
+      "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/mkdirp-classic": {
+      "version": "0.5.3",
+      "resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz",
+      "integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A=="
+    },
     "node_modules/ms": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
       "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
     },
+    "node_modules/napi-build-utils": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/napi-build-utils/-/napi-build-utils-2.0.0.tgz",
+      "integrity": "sha512-GEbrYkbfF7MoNaoh2iGG84Mnf/WZfB0GdGEsM8wz7Expx/LlWf5U8t9nvJKXSp3qr5IsEbK04cBGhol/KwOsWA=="
+    },
     "node_modules/negotiator": {
       "version": "0.6.3",
       "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
@@ -1084,6 +1260,17 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/node-abi": {
+      "version": "3.92.0",
+      "resolved": "https://registry.npmjs.org/node-abi/-/node-abi-3.92.0.tgz",
+      "integrity": "sha512-KdHvFWZjEKDf0cakgFjebl371GPsISX2oZHcuyKqM7DtogIsHrqKeLTo8wBHxaXRAQlY2PsPlZmfo+9ZCxEREQ==",
+      "dependencies": {
+        "semver": "^7.3.5"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
     "node_modules/nodemon": {
       "version": "3.1.14",
       "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.1.14.tgz",
@@ -1165,14 +1352,6 @@
         "node": ">=0.10.0"
       }
     },
-    "node_modules/object-assign": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
-      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
     "node_modules/object-inspect": {
       "version": "1.13.4",
       "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",
@@ -1195,6 +1374,14 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "dependencies": {
+        "wrappy": "1"
+      }
+    },
     "node_modules/parseurl": {
       "version": "1.3.3",
       "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
@@ -1220,6 +1407,32 @@
         "url": "https://github.com/sponsors/jonschlinkert"
       }
     },
+    "node_modules/prebuild-install": {
+      "version": "7.1.3",
+      "resolved": "https://registry.npmjs.org/prebuild-install/-/prebuild-install-7.1.3.tgz",
+      "integrity": "sha512-8Mf2cbV7x1cXPUILADGI3wuhfqWvtiLA1iclTDbFRZkgRQS0NqsPZphna9V+HyTEadheuPmjaJMsbzKQFOzLug==",
+      "deprecated": "No longer maintained. Please contact the author of the relevant native addon; alternatives are available.",
+      "dependencies": {
+        "detect-libc": "^2.0.0",
+        "expand-template": "^2.0.3",
+        "github-from-package": "0.0.0",
+        "minimist": "^1.2.3",
+        "mkdirp-classic": "^0.5.3",
+        "napi-build-utils": "^2.0.0",
+        "node-abi": "^3.3.0",
+        "pump": "^3.0.0",
+        "rc": "^1.2.7",
+        "simple-get": "^4.0.0",
+        "tar-fs": "^2.0.0",
+        "tunnel-agent": "^0.6.0"
+      },
+      "bin": {
+        "prebuild-install": "bin.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
     "node_modules/proxy-addr": {
       "version": "2.0.7",
       "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
@@ -1246,6 +1459,15 @@
       "integrity": "sha512-77DZwxQmxKnu3aR542U+X8FypNzbfJ+C5XQDk3uWjWxn6151aIMGthWYRXTqT1E5oJvg+ljaa2OJi+VfvCOQ8w==",
       "dev": true
     },
+    "node_modules/pump": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.4.tgz",
+      "integrity": "sha512-VS7sjc6KR7e1ukRFhQSY5LM2uBWAUPiOPa/A3mkKmiMwSmRFUITt0xuj+/lesgnCv+dPIEYlkzrcyXgquIHMcA==",
+      "dependencies": {
+        "end-of-stream": "^1.1.0",
+        "once": "^1.3.1"
+      }
+    },
     "node_modules/qs": {
       "version": "6.15.1",
       "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.1.tgz",
@@ -1282,6 +1504,33 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/rc": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/rc/-/rc-1.2.8.tgz",
+      "integrity": "sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==",
+      "dependencies": {
+        "deep-extend": "^0.6.0",
+        "ini": "~1.3.0",
+        "minimist": "^1.2.0",
+        "strip-json-comments": "~2.0.1"
+      },
+      "bin": {
+        "rc": "cli.js"
+      }
+    },
+    "node_modules/readable-stream": {
+      "version": "3.6.2",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz",
+      "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==",
+      "dependencies": {
+        "inherits": "^2.0.3",
+        "string_decoder": "^1.1.1",
+        "util-deprecate": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
     "node_modules/readdirp": {
       "version": "3.6.0",
       "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
@@ -1340,7 +1589,6 @@
       "version": "7.8.0",
       "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.0.tgz",
       "integrity": "sha512-AcM7dV/5ul4EekoQ29Agm5vri8JNqRyj39o0qpX6vDF2GZrtutZl5RwgD1XnZjiTAfncsJhMI48QQH3sN87YNA==",
-      "dev": true,
       "bin": {
         "semver": "bin/semver.js"
       },
@@ -1475,6 +1723,49 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/simple-concat": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/simple-concat/-/simple-concat-1.0.1.tgz",
+      "integrity": "sha512-cSFtAPtRhljv69IK0hTVZQ+OfE9nePi/rtJmw5UjHeVyVroEqJXP1sFztKUy1qU+xvz3u/sfYJLa947b7nAN2Q==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
+    },
+    "node_modules/simple-get": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/simple-get/-/simple-get-4.0.1.tgz",
+      "integrity": "sha512-brv7p5WgH0jmQJr1ZDDfKDOSeWWg+OVypG99A/5vYGPqJ6pxiaHLy8nxtFjBA7oMa01ebA9gfh1uMCFqOuXxvA==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "dependencies": {
+        "decompress-response": "^6.0.0",
+        "once": "^1.3.1",
+        "simple-concat": "^1.0.0"
+      }
+    },
     "node_modules/simple-update-notifier": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/simple-update-notifier/-/simple-update-notifier-2.0.0.tgz",
@@ -1501,6 +1792,14 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/string_decoder": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
+      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
+      "dependencies": {
+        "safe-buffer": "~5.2.0"
+      }
+    },
     "node_modules/string-width": {
       "version": "4.2.3",
       "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
@@ -1527,6 +1826,14 @@
         "node": ">=8"
       }
     },
+    "node_modules/strip-json-comments": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-2.0.1.tgz",
+      "integrity": "sha512-4gB8na07fecVVkOI6Rs4e7T6NOTki5EmL7TUduTs6bu3EdnSycntVJ4re8kgZA+wx9IueI2Y11bfbgwtzuE0KQ==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/supports-color": {
       "version": "8.1.1",
       "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-8.1.1.tgz",
@@ -1542,6 +1849,32 @@
         "url": "https://github.com/chalk/supports-color?sponsor=1"
       }
     },
+    "node_modules/tar-fs": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.4.tgz",
+      "integrity": "sha512-mDAjwmZdh7LTT6pNleZ05Yt65HC3E+NiQzl672vQG38jIrehtJk/J3mNwIg+vShQPcLF/LV7CMnDW6vjj6sfYQ==",
+      "dependencies": {
+        "chownr": "^1.1.1",
+        "mkdirp-classic": "^0.5.2",
+        "pump": "^3.0.0",
+        "tar-stream": "^2.1.4"
+      }
+    },
+    "node_modules/tar-stream": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/tar-stream/-/tar-stream-2.2.0.tgz",
+      "integrity": "sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==",
+      "dependencies": {
+        "bl": "^4.0.3",
+        "end-of-stream": "^1.4.1",
+        "fs-constants": "^1.0.0",
+        "inherits": "^2.0.3",
+        "readable-stream": "^3.1.1"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/to-regex-range": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
@@ -1586,6 +1919,17 @@
       "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
       "dev": true
     },
+    "node_modules/tunnel-agent": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz",
+      "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==",
+      "dependencies": {
+        "safe-buffer": "^5.0.1"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
     "node_modules/type-is": {
       "version": "1.6.18",
       "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
@@ -1612,6 +1956,11 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/util-deprecate": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="
+    },
     "node_modules/utils-merge": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
@@ -1645,6 +1994,11 @@
         "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
       }
     },
+    "node_modules/wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
+    },
     "node_modules/y18n": {
       "version": "5.0.8",
       "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
@@ -1773,12 +2127,44 @@
       "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
       "dev": true
     },
+    "base64-js": {
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz",
+      "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA=="
+    },
+    "better-sqlite3": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/better-sqlite3/-/better-sqlite3-9.6.0.tgz",
+      "integrity": "sha512-yR5HATnqeYNVnkaUTf4bOP2dJSnyhP4puJN/QPRyx4YkBEEUxib422n2XzPqDEHjQQqazoYoADdAm5vE15+dAQ==",
+      "requires": {
+        "bindings": "^1.5.0",
+        "prebuild-install": "^7.1.1"
+      }
+    },
     "binary-extensions": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
       "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==",
       "dev": true
     },
+    "bindings": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz",
+      "integrity": "sha512-p2q/t/mhvuOj/UeLlV6566GD/guowlr0hHxClI0W9m7MWYkL1F0hLo+0Aexs9HSPCtR1SXQ0TD3MMKrXZajbiQ==",
+      "requires": {
+        "file-uri-to-path": "1.0.0"
+      }
+    },
+    "bl": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz",
+      "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==",
+      "requires": {
+        "buffer": "^5.5.0",
+        "inherits": "^2.0.4",
+        "readable-stream": "^3.4.0"
+      }
+    },
     "body-parser": {
       "version": "1.20.5",
       "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.5.tgz",
@@ -1816,6 +2202,15 @@
         "fill-range": "^7.1.1"
       }
     },
+    "buffer": {
+      "version": "5.7.1",
+      "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
+      "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
+      "requires": {
+        "base64-js": "^1.3.1",
+        "ieee754": "^1.1.13"
+      }
+    },
     "bytes": {
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
@@ -1876,6 +2271,11 @@
         "readdirp": "~3.6.0"
       }
     },
+    "chownr": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz",
+      "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg=="
+    },
     "cliui": {
       "version": "8.0.1",
       "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz",
@@ -1966,15 +2366,6 @@
       "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
       "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA=="
     },
-    "cors": {
-      "version": "2.8.6",
-      "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.6.tgz",
-      "integrity": "sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw==",
-      "requires": {
-        "object-assign": "^4",
-        "vary": "^1"
-      }
-    },
     "date-fns": {
       "version": "2.30.0",
       "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-2.30.0.tgz",
@@ -1992,6 +2383,19 @@
         "ms": "2.0.0"
       }
     },
+    "decompress-response": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/decompress-response/-/decompress-response-6.0.0.tgz",
+      "integrity": "sha512-aW35yZM6Bb/4oJlZncMH2LCoZtJXTRxES17vE3hoRiowU2kWHaJKFkSBDnDR+cm9J+9QhXmREyIfv0pji9ejCQ==",
+      "requires": {
+        "mimic-response": "^3.1.0"
+      }
+    },
+    "deep-extend": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz",
+      "integrity": "sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA=="
+    },
     "delayed-stream": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
@@ -2007,6 +2411,11 @@
       "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
       "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg=="
     },
+    "detect-libc": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ=="
+    },
     "dotenv": {
       "version": "16.6.1",
       "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.6.1.tgz",
@@ -2038,6 +2447,14 @@
       "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz",
       "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg=="
     },
+    "end-of-stream": {
+      "version": "1.4.5",
+      "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.5.tgz",
+      "integrity": "sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg==",
+      "requires": {
+        "once": "^1.4.0"
+      }
+    },
     "es-define-property": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
@@ -2083,6 +2500,11 @@
       "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
       "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg=="
     },
+    "expand-template": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/expand-template/-/expand-template-2.0.3.tgz",
+      "integrity": "sha512-XYfuKMvj4O35f/pOXLObndIRvyQ+/+6AhODh+OKWj9S9498pHHn/IMszH+gt0fBCRWMNfk1ZSp5x3AifmnI2vg=="
+    },
     "express": {
       "version": "4.22.2",
       "resolved": "https://registry.npmjs.org/express/-/express-4.22.2.tgz",
@@ -2122,11 +2544,16 @@
       }
     },
     "express-rate-limit": {
-      "version": "6.7.0",
-      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-6.7.0.tgz",
-      "integrity": "sha512-vhwIdRoqcYB/72TK3tRZI+0ttS8Ytrk24GfmsxDXK9o9IhHNO5bXRiXQSExPQ4GbaE5tvIS7j1SGrxsuWs+sGA==",
+      "version": "7.5.1",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.1.tgz",
+      "integrity": "sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==",
       "requires": {}
     },
+    "file-uri-to-path": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz",
+      "integrity": "sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw=="
+    },
     "fill-range": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
@@ -2177,6 +2604,11 @@
       "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
       "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q=="
     },
+    "fs-constants": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fs-constants/-/fs-constants-1.0.0.tgz",
+      "integrity": "sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow=="
+    },
     "fsevents": {
       "version": "2.3.3",
       "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
@@ -2221,6 +2653,11 @@
         "es-object-atoms": "^1.0.0"
       }
     },
+    "github-from-package": {
+      "version": "0.0.0",
+      "resolved": "https://registry.npmjs.org/github-from-package/-/github-from-package-0.0.0.tgz",
+      "integrity": "sha512-SyHy3T1v2NUXn29OsWdxmK6RwHD+vkj3v8en8AOBZ1wBQ/hCAQ5bAQTD02kW4W9tUp/3Qh6J8r9EvntiyCmOOw=="
+    },
     "glob-parent": {
       "version": "5.1.2",
       "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
@@ -2263,9 +2700,9 @@
       }
     },
     "helmet": {
-      "version": "4.6.0",
-      "resolved": "https://registry.npmjs.org/helmet/-/helmet-4.6.0.tgz",
-      "integrity": "sha512-HVqALKZlR95ROkrnesdhbbZJFi/rIVSoNq6f3jA/9u6MIbTsPh3xZwihjeI5+DO/2sOV6HMHooXcEOuwskHpTg=="
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-7.2.0.tgz",
+      "integrity": "sha512-ZRiwvN089JfMXokizgqEPXsl2Guk094yExfoDXR0cBYWxtBbaSww/w+vT4WEJsBW2iTUi1GgZ6swmoug3Oy4Xw=="
     },
     "http-errors": {
       "version": "2.0.1",
@@ -2311,6 +2748,11 @@
         "safer-buffer": ">= 2.1.2 < 3"
       }
     },
+    "ieee754": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz",
+      "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA=="
+    },
     "ignore-by-default": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/ignore-by-default/-/ignore-by-default-1.0.1.tgz",
@@ -2322,6 +2764,11 @@
       "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
       "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
     },
+    "ini": {
+      "version": "1.3.8",
+      "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz",
+      "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew=="
+    },
     "ipaddr.js": {
       "version": "1.9.1",
       "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
@@ -2407,6 +2854,11 @@
         "mime-db": "1.52.0"
       }
     },
+    "mimic-response": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/mimic-response/-/mimic-response-3.1.0.tgz",
+      "integrity": "sha512-z0yWI+4FDrrweS8Zmt4Ej5HdJmky15+L2e6Wgn3+iK5fWzb6T3fhNFq2+MeTRb064c6Wr4N/wv0DzQTjNzHNGQ=="
+    },
     "minimatch": {
       "version": "10.2.5",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.5.tgz",
@@ -2416,16 +2868,39 @@
         "brace-expansion": "^5.0.5"
       }
     },
+    "minimist": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
+      "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA=="
+    },
+    "mkdirp-classic": {
+      "version": "0.5.3",
+      "resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz",
+      "integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A=="
+    },
     "ms": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
       "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
     },
+    "napi-build-utils": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/napi-build-utils/-/napi-build-utils-2.0.0.tgz",
+      "integrity": "sha512-GEbrYkbfF7MoNaoh2iGG84Mnf/WZfB0GdGEsM8wz7Expx/LlWf5U8t9nvJKXSp3qr5IsEbK04cBGhol/KwOsWA=="
+    },
     "negotiator": {
       "version": "0.6.3",
       "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
       "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg=="
     },
+    "node-abi": {
+      "version": "3.92.0",
+      "resolved": "https://registry.npmjs.org/node-abi/-/node-abi-3.92.0.tgz",
+      "integrity": "sha512-KdHvFWZjEKDf0cakgFjebl371GPsISX2oZHcuyKqM7DtogIsHrqKeLTo8wBHxaXRAQlY2PsPlZmfo+9ZCxEREQ==",
+      "requires": {
+        "semver": "^7.3.5"
+      }
+    },
     "nodemon": {
       "version": "3.1.14",
       "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.1.14.tgz",
@@ -2482,11 +2957,6 @@
       "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
       "dev": true
     },
-    "object-assign": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
-      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg=="
-    },
     "object-inspect": {
       "version": "1.13.4",
       "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",
@@ -2500,6 +2970,14 @@
         "ee-first": "1.1.1"
       }
     },
+    "once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "requires": {
+        "wrappy": "1"
+      }
+    },
     "parseurl": {
       "version": "1.3.3",
       "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
@@ -2516,6 +2994,25 @@
       "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "dev": true
     },
+    "prebuild-install": {
+      "version": "7.1.3",
+      "resolved": "https://registry.npmjs.org/prebuild-install/-/prebuild-install-7.1.3.tgz",
+      "integrity": "sha512-8Mf2cbV7x1cXPUILADGI3wuhfqWvtiLA1iclTDbFRZkgRQS0NqsPZphna9V+HyTEadheuPmjaJMsbzKQFOzLug==",
+      "requires": {
+        "detect-libc": "^2.0.0",
+        "expand-template": "^2.0.3",
+        "github-from-package": "0.0.0",
+        "minimist": "^1.2.3",
+        "mkdirp-classic": "^0.5.3",
+        "napi-build-utils": "^2.0.0",
+        "node-abi": "^3.3.0",
+        "pump": "^3.0.0",
+        "rc": "^1.2.7",
+        "simple-get": "^4.0.0",
+        "tar-fs": "^2.0.0",
+        "tunnel-agent": "^0.6.0"
+      }
+    },
     "proxy-addr": {
       "version": "2.0.7",
       "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
@@ -2536,6 +3033,15 @@
       "integrity": "sha512-77DZwxQmxKnu3aR542U+X8FypNzbfJ+C5XQDk3uWjWxn6151aIMGthWYRXTqT1E5oJvg+ljaa2OJi+VfvCOQ8w==",
       "dev": true
     },
+    "pump": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.4.tgz",
+      "integrity": "sha512-VS7sjc6KR7e1ukRFhQSY5LM2uBWAUPiOPa/A3mkKmiMwSmRFUITt0xuj+/lesgnCv+dPIEYlkzrcyXgquIHMcA==",
+      "requires": {
+        "end-of-stream": "^1.1.0",
+        "once": "^1.3.1"
+      }
+    },
     "qs": {
       "version": "6.15.1",
       "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.1.tgz",
@@ -2560,6 +3066,27 @@
         "unpipe": "~1.0.0"
       }
     },
+    "rc": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/rc/-/rc-1.2.8.tgz",
+      "integrity": "sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==",
+      "requires": {
+        "deep-extend": "^0.6.0",
+        "ini": "~1.3.0",
+        "minimist": "^1.2.0",
+        "strip-json-comments": "~2.0.1"
+      }
+    },
+    "readable-stream": {
+      "version": "3.6.2",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz",
+      "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==",
+      "requires": {
+        "inherits": "^2.0.3",
+        "string_decoder": "^1.1.1",
+        "util-deprecate": "^1.0.1"
+      }
+    },
     "readdirp": {
       "version": "3.6.0",
       "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
@@ -2597,8 +3124,7 @@
     "semver": {
       "version": "7.8.0",
       "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.0.tgz",
-      "integrity": "sha512-AcM7dV/5ul4EekoQ29Agm5vri8JNqRyj39o0qpX6vDF2GZrtutZl5RwgD1XnZjiTAfncsJhMI48QQH3sN87YNA==",
-      "dev": true
+      "integrity": "sha512-AcM7dV/5ul4EekoQ29Agm5vri8JNqRyj39o0qpX6vDF2GZrtutZl5RwgD1XnZjiTAfncsJhMI48QQH3sN87YNA=="
     },
     "send": {
       "version": "0.19.2",
@@ -2693,6 +3219,21 @@
         "side-channel-map": "^1.0.1"
       }
     },
+    "simple-concat": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/simple-concat/-/simple-concat-1.0.1.tgz",
+      "integrity": "sha512-cSFtAPtRhljv69IK0hTVZQ+OfE9nePi/rtJmw5UjHeVyVroEqJXP1sFztKUy1qU+xvz3u/sfYJLa947b7nAN2Q=="
+    },
+    "simple-get": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/simple-get/-/simple-get-4.0.1.tgz",
+      "integrity": "sha512-brv7p5WgH0jmQJr1ZDDfKDOSeWWg+OVypG99A/5vYGPqJ6pxiaHLy8nxtFjBA7oMa01ebA9gfh1uMCFqOuXxvA==",
+      "requires": {
+        "decompress-response": "^6.0.0",
+        "once": "^1.3.1",
+        "simple-concat": "^1.0.0"
+      }
+    },
     "simple-update-notifier": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/simple-update-notifier/-/simple-update-notifier-2.0.0.tgz",
@@ -2713,6 +3254,14 @@
       "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
       "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw=="
     },
+    "string_decoder": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
+      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
+      "requires": {
+        "safe-buffer": "~5.2.0"
+      }
+    },
     "string-width": {
       "version": "4.2.3",
       "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
@@ -2733,6 +3282,11 @@
         "ansi-regex": "^5.0.1"
       }
     },
+    "strip-json-comments": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-2.0.1.tgz",
+      "integrity": "sha512-4gB8na07fecVVkOI6Rs4e7T6NOTki5EmL7TUduTs6bu3EdnSycntVJ4re8kgZA+wx9IueI2Y11bfbgwtzuE0KQ=="
+    },
     "supports-color": {
       "version": "8.1.1",
       "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-8.1.1.tgz",
@@ -2742,6 +3296,29 @@
         "has-flag": "^4.0.0"
       }
     },
+    "tar-fs": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.4.tgz",
+      "integrity": "sha512-mDAjwmZdh7LTT6pNleZ05Yt65HC3E+NiQzl672vQG38jIrehtJk/J3mNwIg+vShQPcLF/LV7CMnDW6vjj6sfYQ==",
+      "requires": {
+        "chownr": "^1.1.1",
+        "mkdirp-classic": "^0.5.2",
+        "pump": "^3.0.0",
+        "tar-stream": "^2.1.4"
+      }
+    },
+    "tar-stream": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/tar-stream/-/tar-stream-2.2.0.tgz",
+      "integrity": "sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==",
+      "requires": {
+        "bl": "^4.0.3",
+        "end-of-stream": "^1.4.1",
+        "fs-constants": "^1.0.0",
+        "inherits": "^2.0.3",
+        "readable-stream": "^3.1.1"
+      }
+    },
     "to-regex-range": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
@@ -2774,6 +3351,14 @@
       "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
       "dev": true
     },
+    "tunnel-agent": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz",
+      "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==",
+      "requires": {
+        "safe-buffer": "^5.0.1"
+      }
+    },
     "type-is": {
       "version": "1.6.18",
       "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
@@ -2794,6 +3379,11 @@
       "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
       "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ=="
     },
+    "util-deprecate": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="
+    },
     "utils-merge": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
@@ -2815,6 +3405,11 @@
         "strip-ansi": "^6.0.0"
       }
     },
+    "wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
+    },
     "y18n": {
       "version": "5.0.8",
       "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
diff --git a/package.json b/package.json
index 451f907..fd0a8c9 100644
--- a/package.json
+++ b/package.json
@@ -7,17 +7,18 @@
     "dev": "nodemon server/index.js",
     "start": "node server/index.js",
     "install:all": "npm install",
-    "audit": "npm audit --audit-level=moderate",
-    "audit:fix": "npm audit fix"
+    "audit": "npm audit --audit-level=high",
+    "audit:fix": "npm audit fix",
+    "audit:critical": "npm audit --audit-level=critical"
   },
   "dependencies": {
     "axios": "^1.6.0",
+    "better-sqlite3": "^9.0.0",
     "cookie-parser": "^1.4.6",
-    "cors": "^2.8.5",
     "dotenv": "^16.3.1",
     "express": "^4.18.2",
-    "express-rate-limit": "^6.7.0",
-    "helmet": "^4.6.0"
+    "express-rate-limit": "^7.0.0",
+    "helmet": "^7.0.0"
   },
   "devDependencies": {
     "concurrently": "^7.6.0",
diff --git a/public/app.js b/public/app.js
index 75a38ec..f798355 100644
--- a/public/app.js
+++ b/public/app.js
@@ -4,6 +4,7 @@ let refreshInterval = null;
 let currentRefreshRate = 5000; // default 5 seconds
 let isAdmin = false;
 let showAll = false;
+let csrfToken = null; // double-submit CSRF token, sent as X-CSRF-Token on mutating requests
 const SPLASH_MIN_MS = 1200; // minimum splash display time
 
 // Apply saved theme immediately (before DOMContentLoaded to avoid flash)
@@ -118,9 +119,15 @@ function dismissSplash(startTime) {
 async function checkAuthentication() {
   const splashStart = Date.now();
   try {
-    const response = await fetch('/api/auth/me');
-    const data = await response.json();
-    
+    // Fetch both auth state and a fresh CSRF token in parallel
+    const [meRes, csrfRes] = await Promise.all([
+      fetch('/api/auth/me'),
+      fetch('/api/auth/csrf')
+    ]);
+    const data = await meRes.json();
+    const csrfData = await csrfRes.json();
+    if (csrfData.csrfToken) csrfToken = csrfData.csrfToken;
+
     if (data.authenticated) {
       currentUser = data.user;
       isAdmin = !!data.user.isAdmin;
@@ -160,6 +167,8 @@ async function handleLogin(e) {
     if (data.success) {
       currentUser = data.user;
       isAdmin = !!data.user.isAdmin;
+      // Store CSRF token returned by login for use in subsequent requests
+      if (data.csrfToken) csrfToken = data.csrfToken;
       // Fade out login, then show splash while loading data.
       // requestAnimationFrame ensures the browser paints the splash at
       // opacity:1 before dismissSplash adds fade-out, so the CSS
@@ -185,9 +194,11 @@ async function handleLogout() {
   try {
     stopAutoRefresh();
     await fetch('/api/auth/logout', {
-      method: 'POST'
+      method: 'POST',
+      headers: csrfToken ? { 'X-CSRF-Token': csrfToken } : {}
     });
     currentUser = null;
+    csrfToken = null;
     downloads = [];
     showLogin();
   } catch (err) {
diff --git a/server/index.js b/server/index.js
index fd59923..729cbde 100644
--- a/server/index.js
+++ b/server/index.js
@@ -2,6 +2,8 @@ const express = require('express');
 const path = require('path');
 const cookieParser = require('cookie-parser');
 const helmet = require('helmet');
+const rateLimit = require('express-rate-limit');
+const crypto = require('crypto');
 const fs = require('fs');
 require('dotenv').config();
 
@@ -10,7 +12,29 @@ require('dotenv').config();
 const LOG_LEVELS = { debug: 0, info: 1, warn: 2, error: 3, silent: 4 };
 const currentLevel = LOG_LEVELS[(process.env.LOG_LEVEL || 'info').toLowerCase()] || 1;
 
-const logFile = fs.createWriteStream(path.join(__dirname, '../server.log'), { flags: 'a' });
+// Log file lives in DATA_DIR so the non-root container user can write to it
+const DATA_DIR = process.env.DATA_DIR || path.join(__dirname, '../data');
+if (!fs.existsSync(DATA_DIR)) fs.mkdirSync(DATA_DIR, { recursive: true });
+
+const LOG_PATH = path.join(DATA_DIR, 'server.log');
+const LOG_MAX_BYTES = 10 * 1024 * 1024; // 10 MB per file
+const LOG_KEEP = 3;                      // keep 3 rotated files
+
+function rotateLogIfNeeded() {
+  try {
+    const stat = fs.statSync(LOG_PATH);
+    if (stat.size < LOG_MAX_BYTES) return;
+    for (let i = LOG_KEEP - 1; i >= 1; i--) {
+      const src = `${LOG_PATH}.${i}`;
+      const dst = `${LOG_PATH}.${i + 1}`;
+      if (fs.existsSync(src)) fs.renameSync(src, dst);
+    }
+    fs.renameSync(LOG_PATH, `${LOG_PATH}.1`);
+  } catch { /* ignore rotation errors — don't crash the server */ }
+}
+
+rotateLogIfNeeded();
+const logFile = fs.createWriteStream(LOG_PATH, { flags: 'a' });
 const originalConsoleLog = console.log;
 const originalConsoleError = console.error;
 const originalConsoleWarn = console.warn;
@@ -54,35 +78,173 @@ const radarrRoutes = require('./routes/radarr');
 const embyRoutes = require('./routes/emby');
 const dashboardRoutes = require('./routes/dashboard');
 const authRoutes = require('./routes/auth');
+const verifyCsrf = require('./middleware/verifyCsrf');
 const { startPoller, POLL_INTERVAL, POLLING_ENABLED } = require('./utils/poller');
 
+// ---------------------------------------------------------------------------
+// Startup environment validation
+// ---------------------------------------------------------------------------
+const cookieSecret = process.env.COOKIE_SECRET;
+if (!cookieSecret && process.env.NODE_ENV === 'production') {
+  console.error('[Security] COOKIE_SECRET is not set in production — aborting.');
+  process.exit(1);
+} else if (!cookieSecret) {
+  console.warn('[Security] COOKIE_SECRET not set — unsigned cookies (dev only)');
+}
+if (!process.env.EMBY_URL && process.env.NODE_ENV === 'production') {
+  console.error('[Config] EMBY_URL is required');
+  process.exit(1);
+}
+
 const app = express();
 const PORT = process.env.PORT || 3001;
 
-app.use(helmet({
-  contentSecurityPolicy: false // SPA uses inline scripts; CSP requires a nonce/hash strategy
-}));
-
-const cookieSecret = process.env.COOKIE_SECRET;
-if (!cookieSecret && process.env.NODE_ENV === 'production') {
-  console.error('[Security] COOKIE_SECRET is not set in production — cookies are unsigned and can be tampered with!');
-  process.exit(1);
-} else if (!cookieSecret) {
-  console.warn('[Security] COOKIE_SECRET is not set — using unsigned cookies (acceptable for development only)');
+// ---------------------------------------------------------------------------
+// Trust proxy — required when behind Nginx/Caddy/Traefik so that
+// req.ip reflects the real client IP (not 127.0.0.1) and
+// req.secure is true when the upstream TLS is terminated by the proxy.
+// Set TRUST_PROXY=1 (or a specific IP/CIDR) via env.
+// ---------------------------------------------------------------------------
+if (process.env.TRUST_PROXY) {
+  const trustValue = /^\d+$/.test(process.env.TRUST_PROXY)
+    ? parseInt(process.env.TRUST_PROXY, 10)
+    : process.env.TRUST_PROXY;
+  app.set('trust proxy', trustValue);
 }
-app.use(cookieParser(cookieSecret || undefined));
-app.use(express.json());
-app.use(express.static(path.join(__dirname, '../public')));
 
+// ---------------------------------------------------------------------------
+// Helmet v7 — security response headers
+// CSP uses a per-request nonce injected into index.html so inline scripts
+// and styles are allowed only with a valid nonce, not blanket unsafe-inline.
+// ---------------------------------------------------------------------------
+app.use((req, res, next) => {
+  // Generate a fresh nonce for every request
+  res.locals.cspNonce = crypto.randomBytes(16).toString('base64');
+  next();
+});
+
+app.use((req, res, next) => {
+  helmet({
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: ["'self'"],
+        scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
+        styleSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
+        imgSrc: ["'self'", 'data:', 'blob:'],
+        fontSrc: ["'self'", 'data:'],
+        connectSrc: ["'self'"],
+        objectSrc: ["'none'"],
+        baseUri: ["'self'"],
+        frameAncestors: ["'none'"],
+        formAction: ["'self'"],
+        upgradeInsecureRequests: process.env.NODE_ENV === 'production' ? [] : null
+      }
+    },
+    hsts: {
+      maxAge: 31536000,       // 1 year
+      includeSubDomains: true,
+      preload: true
+    },
+    referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+    crossOriginEmbedderPolicy: false // not needed for this SPA
+  })(req, res, next);
+});
+
+// Permissions-Policy — disable powerful browser features not needed by the app
+app.use((req, res, next) => {
+  res.setHeader(
+    'Permissions-Policy',
+    'camera=(), microphone=(), geolocation=(), payment=(), usb=()'
+  );
+  next();
+});
+
+// ---------------------------------------------------------------------------
+// General API rate limiter — applies to all /api/* routes
+// More specific limiters (e.g. login) apply on top of this.
+// ---------------------------------------------------------------------------
+const apiLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,   // 15 minutes
+  max: 300,                    // 300 requests per IP per window (generous for polling)
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many requests, please try again later' }
+});
+
+// ---------------------------------------------------------------------------
+// Body parsing & cookies
+// ---------------------------------------------------------------------------
+app.use(cookieParser(cookieSecret || undefined));
+app.use(express.json({ limit: '64kb' })); // prevent oversized JSON payloads
+
+// ---------------------------------------------------------------------------
+// Health / readiness endpoints (no auth, no rate-limit)
+// Used by Docker HEALTHCHECK and orchestrators.
+// ---------------------------------------------------------------------------
+app.get('/health', (req, res) => {
+  res.json({ status: 'ok', uptime: process.uptime() });
+});
+
+app.get('/ready', (req, res) => {
+  // Confirm critical config is present
+  const ready = !!(process.env.EMBY_URL);
+  if (ready) {
+    res.json({ status: 'ready' });
+  } else {
+    res.status(503).json({ status: 'not ready', reason: 'EMBY_URL not configured' });
+  }
+});
+
+// ---------------------------------------------------------------------------
+// Static files — served before API routes
+// index.html is served manually so we can inject the CSP nonce
+// ---------------------------------------------------------------------------
+const PUBLIC_DIR = path.join(__dirname, '../public');
+const INDEX_HTML = path.join(PUBLIC_DIR, 'index.html');
+
+// Serve all static assets (js, css, images, icons) except index.html
+app.use(express.static(PUBLIC_DIR, { index: false }));
+
+// Serve index.html with nonce injected into the <script> and <link> tags
+function serveIndex(req, res) {
+  fs.readFile(INDEX_HTML, 'utf8', (err, html) => {
+    if (err) return res.status(500).send('Internal Server Error');
+    const nonce = res.locals.cspNonce;
+    // Inject nonce into <script> and <link rel="stylesheet"> tags
+    const patched = html
+      .replace(/<script([^>]*)>/gi, `<script nonce="${nonce}"$1>`)
+      .replace(/<link([^>]*rel=["']stylesheet["'][^>]*)>/gi, `<link nonce="${nonce}"$1>`);
+    res.setHeader('Content-Type', 'text/html; charset=utf-8');
+    res.send(patched);
+  });
+}
+
+// ---------------------------------------------------------------------------
+// API routes (rate-limited; auth routes exempt CSRF for login/csrf endpoints)
+// CSRF protection applies to all state-changing /api/* requests except
+// /api/auth/login (pre-auth) and /api/auth/csrf (issues the token).
+// ---------------------------------------------------------------------------
+app.use('/api', apiLimiter);
+app.use('/api/auth', authRoutes);
+
+// All routes below this point require CSRF validation on mutating methods
+app.use('/api', verifyCsrf);
 app.use('/api/sabnzbd', sabnzbdRoutes);
 app.use('/api/sonarr', sonarrRoutes);
 app.use('/api/radarr', radarrRoutes);
 app.use('/api/emby', embyRoutes);
 app.use('/api/dashboard', dashboardRoutes);
-app.use('/api/auth', authRoutes);
 
-app.get('/', (req, res) => {
-  res.sendFile(path.join(__dirname, '../public/index.html'));
+// SPA catch-all — serve index.html for any unmatched path
+app.get('*', serveIndex);
+
+// ---------------------------------------------------------------------------
+// Global error handler — never leak stack traces to clients
+// ---------------------------------------------------------------------------
+// eslint-disable-next-line no-unused-vars
+app.use((err, req, res, next) => {
+  console.error('[Server] Unhandled error:', err.message);
+  res.status(500).json({ error: 'Internal server error' });
 });
 
 app.listen(PORT, () => {
@@ -91,6 +253,7 @@ app.listen(PORT, () => {
   console.log(`  Server running on port ${PORT}`);
   console.log(`  Log level: ${process.env.LOG_LEVEL || 'info'}`);
   console.log(`  Polling: ${POLLING_ENABLED ? POLL_INTERVAL + 'ms' : 'disabled (on-demand)'}`);
+  console.log(`  Trust proxy: ${process.env.TRUST_PROXY || 'disabled'}`);
   console.log(`=================================`);
   startPoller();
 });
diff --git a/server/middleware/verifyCsrf.js b/server/middleware/verifyCsrf.js
new file mode 100644
index 0000000..6026870
--- /dev/null
+++ b/server/middleware/verifyCsrf.js
@@ -0,0 +1,42 @@
+/**
+ * CSRF protection using the double-submit cookie pattern.
+ *
+ * On login the server issues a random `csrf_token` cookie (httpOnly:false
+ * so JS can read it). The SPA must send the same value in the
+ * `X-CSRF-Token` request header for every state-changing request (POST,
+ * PUT, PATCH, DELETE).
+ *
+ * Because the `sameSite: strict` session cookie already provides strong
+ * protection in modern browsers, this acts as defence-in-depth for
+ * older browsers and any edge cases.
+ *
+ * Safe methods (GET, HEAD, OPTIONS) are exempted.
+ */
+
+const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
+
+function verifyCsrf(req, res, next) {
+  if (SAFE_METHODS.has(req.method)) return next();
+
+  const cookieToken = req.cookies.csrf_token;
+  const headerToken = req.headers['x-csrf-token'];
+
+  if (!cookieToken || !headerToken) {
+    return res.status(403).json({ error: 'CSRF token missing' });
+  }
+
+  // Constant-time comparison to prevent timing attacks
+  if (cookieToken.length !== headerToken.length) {
+    return res.status(403).json({ error: 'CSRF token invalid' });
+  }
+
+  const a = Buffer.from(cookieToken);
+  const b = Buffer.from(headerToken);
+  if (!require('crypto').timingSafeEqual(a, b)) {
+    return res.status(403).json({ error: 'CSRF token invalid' });
+  }
+
+  next();
+}
+
+module.exports = verifyCsrf;
diff --git a/server/routes/auth.js b/server/routes/auth.js
index 1b82a21..0f34dc7 100644
--- a/server/routes/auth.js
+++ b/server/routes/auth.js
@@ -4,30 +4,19 @@ const crypto = require('crypto');
 const rateLimit = require('express-rate-limit');
 const router = express.Router();
 
+// Persistent SQLite-backed token store — survives restarts
+const { storeToken, getToken, clearToken } = require('../utils/tokenStore');
+
 const EMBY_URL = process.env.EMBY_URL;
 
-// Server-side token store: userId -> { accessToken }
-// Keeps AccessToken off the client; required for logout revocation.
-const tokenStore = new Map();
-
-function storeToken(userId, accessToken) {
-  tokenStore.set(userId, { accessToken });
-}
-
-function getToken(userId) {
-  return tokenStore.get(userId) || null;
-}
-
-function clearToken(userId) {
-  tokenStore.delete(userId);
-}
-
 
+// Strict login limiter: 10 attempts per 15 min, then locked for the window
 const loginLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000, // 15 minutes
+  windowMs: 15 * 60 * 1000,
   max: 10,
   standardHeaders: true,
   legacyHeaders: false,
+  skipSuccessfulRequests: true, // only count failures toward the limit
   message: { success: false, error: 'Too many login attempts, please try again later' }
 });
 
@@ -35,15 +24,23 @@ const loginLimiter = rateLimit({
 router.post('/login', loginLimiter, async (req, res) => {
   try {
     const { username, password, rememberMe } = req.body;
+
+    // Input validation — reject obviously invalid inputs before hitting Emby
+    if (typeof username !== 'string' || username.trim().length === 0 || username.length > 128) {
+      return res.status(400).json({ success: false, error: 'Invalid username' });
+    }
+    if (typeof password !== 'string' || password.length === 0 || password.length > 256) {
+      return res.status(400).json({ success: false, error: 'Invalid password' });
+    }
     
-    console.log(`[Auth] Attempting login for user: ${username}`);
+    console.log(`[Auth] Attempting login for user: ${username.trim()}`);
     
     // Authenticate with Emby using a stable DeviceId derived from the username.
     // Using a deterministic DeviceId causes Emby to reuse the existing session
     // for this device rather than creating a new one on each login.
-    const stableDeviceId = 'sofarr-' + crypto.createHash('sha256').update(username.toLowerCase()).digest('hex').slice(0, 16);
+    const stableDeviceId = 'sofarr-' + crypto.createHash('sha256').update(username.trim().toLowerCase()).digest('hex').slice(0, 16);
     const authResponse = await axios.post(`${EMBY_URL}/Users/authenticatebyname`, {
-      Username: username,
+      Username: username.trim(),
       Pw: password
     }, {
       headers: {
@@ -70,22 +67,36 @@ router.post('/login', loginLimiter, async (req, res) => {
     // Set authentication cookie (signed when COOKIE_SECRET is set).
     // rememberMe=true  → persistent cookie, expires in 30 days
     // rememberMe=false → session cookie, expires when browser closes
+    // secure is always true — the app should sit behind HTTPS in production;
+    // behind a reverse proxy set TRUST_PROXY=1 so req.secure works correctly.
     const cookiePayload = JSON.stringify({ id: user.Id, name: user.Name, isAdmin });
     const signed = !!process.env.COOKIE_SECRET;
     const cookieOptions = {
       httpOnly: true,
       secure: process.env.NODE_ENV === 'production',
       sameSite: 'strict',
-      signed
+      signed,
+      path: '/'
     };
     if (rememberMe) {
       cookieOptions.maxAge = 30 * 24 * 60 * 60 * 1000; // 30 days
     }
     res.cookie('emby_user', cookiePayload, cookieOptions);
+
+    // Issue a CSRF token tied to this session so state-changing endpoints
+    // can validate the double-submit cookie pattern
+    const csrfToken = crypto.randomBytes(32).toString('hex');
+    res.cookie('csrf_token', csrfToken, {
+      httpOnly: false, // intentionally readable by JS for the double-submit pattern
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'strict',
+      path: '/'
+    });
     
     res.json({
       success: true,
-      user: { id: user.Id, name: user.Name, isAdmin }
+      user: { id: user.Id, name: user.Name, isAdmin },
+      csrfToken
     });
   } catch (error) {
     console.error(`[Auth] Login failed:`, error.message);
@@ -122,6 +133,19 @@ router.get('/me', (req, res) => {
   });
 });
 
+// CSRF token refresh — lets the SPA get a new token without re-logging-in
+// (e.g. after a page reload where the JS variable was lost)
+router.get('/csrf', (req, res) => {
+  const csrfToken = crypto.randomBytes(32).toString('hex');
+  res.cookie('csrf_token', csrfToken, {
+    httpOnly: false,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'strict',
+    path: '/'
+  });
+  res.json({ csrfToken });
+});
+
 // Logout
 router.post('/logout', async (req, res) => {
   const user = parseSessionCookie(req);
@@ -143,7 +167,14 @@ router.post('/logout', async (req, res) => {
     httpOnly: true,
     secure: process.env.NODE_ENV === 'production',
     sameSite: 'strict',
-    signed: !!process.env.COOKIE_SECRET
+    signed: !!process.env.COOKIE_SECRET,
+    path: '/'
+  });
+  res.clearCookie('csrf_token', {
+    httpOnly: false,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'strict',
+    path: '/'
   });
   res.json({ success: true });
 });
diff --git a/server/utils/sanitizeError.js b/server/utils/sanitizeError.js
index 47af741..b0a479e 100644
--- a/server/utils/sanitizeError.js
+++ b/server/utils/sanitizeError.js
@@ -1,14 +1,19 @@
-const API_KEY_PATTERN = /([?&]apikey=)[^&\s]*/gi;
-const TOKEN_PATTERN = /([?&]token=)[^&\s]*/gi;
-const HEADER_PATTERN = /x-(?:api-key|mediabrowser-token|emby-authorization):[^\s,]*/gi;
+// Query-param secrets (SABnzbd apikey, generic token/password params)
+const QUERY_SECRET_PATTERN = /([?&](?:apikey|token|password|api_key|key|secret)=)[^&\s#]*/gi;
+// HTTP auth header values (X-Api-Key, X-MediaBrowser-Token, Authorization, X-Emby-Authorization)
+const HEADER_PATTERN = /(?:x-api-key|x-mediabrowser-token|x-emby-authorization|authorization)\s*:\s*\S+/gi;
+// Bearer tokens
+const BEARER_PATTERN = /bearer\s+[A-Za-z0-9\-._~+/]+=*/gi;
+// Basic auth credentials in URLs (http://user:pass@host)
+const BASIC_AUTH_URL_PATTERN = /\/\/[^:@/\s]+:[^@/\s]+@/gi;
 
 function sanitizeError(err) {
-  let msg = err.message || String(err);
-  // Redact API keys in URLs (SABnzbd passes apikey as query param)
-  msg = msg.replace(API_KEY_PATTERN, '$1[REDACTED]');
-  msg = msg.replace(TOKEN_PATTERN, '$1[REDACTED]');
-  // Redact auth header values if they appear in the message
-  msg = msg.replace(HEADER_PATTERN, (m) => m.split(':')[0] + ':[REDACTED]');
+  let msg = (err && err.message) ? err.message : String(err);
+  msg = msg.replace(QUERY_SECRET_PATTERN, '$1[REDACTED]');
+  msg = msg.replace(HEADER_PATTERN, (m) => m.split(/[\s:]/)[0] + ':[REDACTED]');
+  msg = msg.replace(BEARER_PATTERN, 'bearer [REDACTED]');
+  msg = msg.replace(BASIC_AUTH_URL_PATTERN, '//[REDACTED]@');
+  // Never leak stack traces to API responses
   return msg;
 }
 
diff --git a/server/utils/tokenStore.js b/server/utils/tokenStore.js
new file mode 100644
index 0000000..4555a2e
--- /dev/null
+++ b/server/utils/tokenStore.js
@@ -0,0 +1,83 @@
+/**
+ * Persistent token store backed by SQLite (better-sqlite3).
+ *
+ * Survives process restarts — Emby tokens remain valid across deploys
+ * and container restarts, so users do not need to re-login after an
+ * update. Tokens are stored in DATA_DIR/tokens.db (default: /app/data
+ * inside the container, or ./data locally).
+ *
+ * Schema: tokens(userId TEXT PK, accessToken TEXT, createdAt INTEGER)
+ *
+ * Expired rows (older than TOKEN_TTL_DAYS) are pruned on startup and
+ * once per hour, preventing unbounded growth.
+ */
+
+const Database = require('better-sqlite3');
+const path = require('path');
+const fs = require('fs');
+
+const TOKEN_TTL_DAYS = 31; // slightly longer than max cookie lifetime
+const DATA_DIR = process.env.DATA_DIR || path.join(__dirname, '../../data');
+
+// Ensure data directory exists (non-root writable in container)
+if (!fs.existsSync(DATA_DIR)) {
+  fs.mkdirSync(DATA_DIR, { recursive: true });
+}
+
+const DB_PATH = path.join(DATA_DIR, 'tokens.db');
+const db = new Database(DB_PATH);
+
+// WAL mode for better concurrent read performance
+db.pragma('journal_mode = WAL');
+db.pragma('foreign_keys = ON');
+
+db.exec(`
+  CREATE TABLE IF NOT EXISTS tokens (
+    userId      TEXT PRIMARY KEY,
+    accessToken TEXT NOT NULL,
+    createdAt   INTEGER NOT NULL DEFAULT (strftime('%s','now'))
+  )
+`);
+
+const storeToken = db.prepare(
+  `INSERT OR REPLACE INTO tokens (userId, accessToken, createdAt)
+   VALUES (?, ?, strftime('%s','now'))`
+);
+
+const getTokenStmt = db.prepare(
+  `SELECT accessToken FROM tokens WHERE userId = ?`
+);
+
+const clearTokenStmt = db.prepare(
+  `DELETE FROM tokens WHERE userId = ?`
+);
+
+const pruneStmt = db.prepare(
+  `DELETE FROM tokens WHERE createdAt < strftime('%s','now') - ?`
+);
+
+const TTL_SECONDS = TOKEN_TTL_DAYS * 24 * 60 * 60;
+
+function prune() {
+  const result = pruneStmt.run(TTL_SECONDS);
+  if (result.changes > 0) {
+    console.log(`[TokenStore] Pruned ${result.changes} expired token(s)`);
+  }
+}
+
+// Prune on startup and every hour
+prune();
+setInterval(prune, 60 * 60 * 1000).unref();
+
+module.exports = {
+  storeToken(userId, accessToken) {
+    storeToken.run(userId, accessToken);
+  },
+  getToken(userId) {
+    const row = getTokenStmt.get(userId);
+    return row ? { accessToken: row.accessToken } : null;
+  },
+  clearToken(userId) {
+    clearTokenStmt.run(userId);
+  }
+};