# Security Audit & Implementation Guide ## 🔒 Security Checklist ### ✅ Already Implemented - [x] Parameterized SQL queries (prevents SQL injection) - [x] Password hashing with bcryptjs (12 rounds) - [x] JWT token authentication - [x] Environment variables for secrets - [x] Secure password requirements ### 🔴 Critical Issues to Fix 1. [ ] CSRF protection missing 2. [ ] Rate limiting not implemented 3. [ ] Input sanitization incomplete 4. [ ] CORS may be too permissive 5. [ ] No request validation on some endpoints 6. [ ] Missing security headers 7. [ ] No refresh token strategy ### 🟡 High Priority 1. [ ] Add helmet.js for security headers 2. [ ] Implement express-validator on all inputs 3. [ ] Add rate limiting middleware 4. [ ] Implement CSRF tokens 5. [ ] Add request logging/audit 6. [ ] Validate environment variables at startup ### 🟢 Medium Priority 1. [ ] Add two-factor authentication 2. [ ] Implement refresh token rotation 3. [ ] Add API key authentication option 4. [ ] Implement audit logging 5. [ ] Add IP whitelisting option 6. [ ] Email verification --- ## 🚀 Implementation Plan ### 1. Install Security Packages ```bash npm install helmet express-rate-limit express-validator csrf ``` ### 2. Add Helmet.js (Security Headers) ```javascript const helmet = require('helmet'); app.use(helmet()); // Sets security headers like: // - Content-Security-Policy // - X-Frame-Options // - X-Content-Type-Options // - Strict-Transport-Security // - etc. ``` ### 3. Add Rate Limiting ```javascript const rateLimit = require('express-rate-limit'); const loginLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 5, // 5 requests per window message: 'Too many login attempts', standardHeaders: true, legacyHeaders: false, }); router.post('/login', loginLimiter, login); ``` ### 4. Add Input Validation ```javascript const { body, validationResult } = require('express-validator'); const validateRegister = [ body('email').isEmail().normalizeEmail(), body('password').isLength({ min: 8 }), body('name').trim().notEmpty(), ]; router.post('/register', validateRegister, (req, res) => { const errors = validationResult(req); if (!errors.isEmpty()) { return res.status(400).json({ errors: errors.array() }); } // ... continue }); ``` ### 5. Add CORS Security ```javascript const cors = require('cors'); app.use(cors({ origin: process.env.FRONTEND_URL || 'http://localhost:3000', credentials: true, optionsSuccessStatus: 200, methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'], allowedHeaders: ['Content-Type', 'Authorization'], })); ``` ### 6. Add Security Monitoring ```javascript // Log suspicious activities app.use((req, res, next) => { if (req.body.password) { console.log(`[AUTH] ${req.method} ${req.path} from ${req.ip}`); } next(); }); ``` ### 7. Environment Variable Validation ```javascript const requiredEnvVars = [ 'JWT_SECRET', 'DATABASE_URL', 'NODE_ENV', 'PORT' ]; requiredEnvVars.forEach(varName => { if (!process.env[varName]) { console.error(`Missing required env var: ${varName}`); process.exit(1); } }); ``` ### 8. HTTPS Enforcement ```javascript // Add in production if (process.env.NODE_ENV === 'production') { app.use((req, res, next) => { if (req.header('x-forwarded-proto') !== 'https') { res.redirect(`https://${req.header('host')}${req.url}`); } else { next(); } }); } ``` ### 9. JWT Best Practices ```javascript // Use short expiration + refresh tokens generateToken = (userId, email) => { return jwt.sign( { userId, email }, process.env.JWT_SECRET, { expiresIn: '1h' } // Short-lived access token ); }; // Refresh token endpoint router.post('/refresh', (req, res) => { const refreshToken = req.cookies.refreshToken; // Verify and issue new access token }); ``` ### 10. Database Security - [ ] Use connection pooling - [ ] Set database user permissions (read-only for queries) - [ ] Enable SSL connections - [ ] Regular backups with encryption --- ## 📋 Testing Security ### Manual Testing Checklist - [ ] Try SQL injection on login: `email' OR '1'='1` - [ ] Try XSS injection: `` - [ ] Test rate limiting: 6+ rapid login attempts - [ ] Check for sensitive data in logs - [ ] Verify CORS errors on cross-domain requests - [ ] Check security headers with curl -I ### Automated Testing ```bash # Scan for vulnerabilities npm audit # Check security headers curl -I https://api.haznox.in # Check security.txt curl https://api.haznox.in/.well-known/security.txt ``` --- ## 🔑 Secrets Management ### Good Practice ``` ✅ Environment variables for secrets ✅ Never commit .env files ✅ Use different secrets for each environment ✅ Rotate secrets regularly ✅ Use vault/secrets manager in production ``` ### Current Issues ``` ❌ Some secrets might be in git history (check!) ❌ No secret rotation strategy ❌ Secrets in process.env (OK for now, but use vault later) ``` --- ## 🛡️ Additional Recommendations 1. **SSL/TLS:** Already configured (haznoxhosting.com has cert) 2. **API Keys:** Implement for service-to-service auth 3. **Webhooks:** Verify webhook signatures 4. **CDN:** Use for static assets (security + performance) 5. **DDoS Protection:** Use Cloudflare or similar 6. **WAF:** Consider Web Application Firewall 7. **Bug Bounty:** Setup responsible disclosure program 8. **Penetration Testing:** Annual professional security audit --- ## 🚨 Security Headers to Add ```javascript // Using helmet app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], scriptSrc: ["'self'", "accounts.google.com"], connectSrc: ["'self'", "api.haznox.in"], }, }, hsts: { maxAge: 31536000, includeSubDomains: true }, noSniff: true, xssFilter: true, referrerPolicy: { policy: 'strict-origin-when-cross-origin' }, })); ``` --- ## 📞 Security Incident Response 1. **Discover vulnerability:** - Don't panic, assess severity - Isolate affected systems if critical 2. **Fix immediately:** - Patch the vulnerability - Update secrets if compromised - Deploy hotfix 3. **Notify users (if needed):** - If data breach: notify within 72 hours - Explain impact clearly - Provide guidance 4. **Post-incident:** - Root cause analysis - Update security procedures - Add tests to prevent recurrence