Skip to content

Security Measures

Overview

The application incorporates several security measures to protect against common vulnerabilities and ensure safe operation. These measures include rate limiting, CORS configuration, and HTTP security headers.

Security Features

1. Rate Limiting

  • Library Used: express-rate-limit
  • Purpose: Prevents abuse by limiting the number of requests a client can make within a specified time window.
  • Configuration:
  • Window: 1 minute
  • Max Requests: 10,000 requests per IP
  • Response Message: "You have exceeded the request limit, please try again later."
  • Key Generator: Uses the client's IP address to track request counts.

2. CORS (Cross-Origin Resource Sharing)

  • Library Used: cors
  • Purpose: Allows controlled access to resources from different origins.
  • Configuration:
  • Enables credentials to be sent with requests.
  • Dynamically sets the Access-Control-Allow-Origin header based on the request's origin.

3. HTTP Security Headers

  • Library Used: helmet
  • Purpose: Adds various HTTP headers to enhance security.
  • Features:
  • Content Security Policy (CSP):
    • Restricts sources for scripts, styles, images, and other resources.
    • Default policy: Only allows resources from the same origin ('self').
  • HTTP Strict Transport Security (HSTS):
    • Enforces HTTPS connections.
    • Configuration:
    • Max Age: 1 year
    • Includes subdomains
    • Preload enabled for browser HSTS preload lists.

4. Proxy Trust

  • Configuration: app.set('trust proxy', true)
  • Purpose: Ensures the application correctly identifies the client's IP address when behind a proxy.

5. Body Parsing

  • Library Used: body-parser
  • Purpose: Safely parses incoming request bodies.
  • Configuration:
  • Parses URL-encoded data.
  • Parses JSON data.

6. Environment-Specific Logging

  • Purpose: Adjusts logging behavior based on the environment to prevent sensitive information from being logged in production.
  • Modes:
  • Production: Disables console.log and console.debug.
  • Preproduction: Similar to production.
  • Development: Enables detailed logging.
  • Testing: Disables most logging except for errors.

Notes

  • These measures collectively enhance the application's resilience against common attacks such as DDoS, XSS, and CSRF.
  • Proper configuration of environment variables (e.g., APP_ENVIRONMENT, PORT) is essential for optimal security.