swagger2mcp

The project demonstrates strong security awareness and implements several best practices, including robust authentication (JWT, OAuth2, RBAC), input validation (file size, crawl depth, file type), application-level rate limiting, and HTTP-only cookies for session management. Critical security concerns identified during development (e.g., global CORS, localStorage for sessions) have been documented as fixed. Production Dockerfiles use non-root users. Hardcoded secrets in `docker-compose.yml` are clearly marked for development use and are replaced by environment variables in `docker-compose.production.yml`. Detailed error messages are sanitized for client responses. Webhook payloads can be HMAC signed. Potential risks like excessive web crawling are mitigated with rate limiting and depth control.