Security Best Practices

Essential security patterns for web development.

Instructions

1. Environment Variables

# ✅ .env file (never commit)
DATABASE_URL=postgresql://...
JWT_SECRET=your-secret-key
API_KEY=xxx

# ✅ .gitignore
.env
.env.local
.env.*.local

// ✅ Access with validation
const dbUrl = process.env.DATABASE_URL;
if (!dbUrl) throw new Error('DATABASE_URL required');

2. XSS Prevention

// ❌ Bad - direct HTML injection
element.innerHTML = userInput;

// ✅ Good - use textContent
element.textContent = userInput;

// ✅ Good - sanitize if HTML needed
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);

3. SQL Injection Prevention

// ❌ Bad - string concatenation
const query = `SELECT * FROM users WHERE id = ${userId}`;

// ✅ Good - parameterized queries
const user = await prisma.user.findUnique({
  where: { id: userId }
});

// ✅ Good - prepared statements
const [rows] = await db.execute(
  'SELECT * FROM users WHERE id = ?',
  [userId]
);

4. Authentication

// ✅ Password hashing
import bcrypt from 'bcrypt';

const hash = await bcrypt.hash(password, 12);
const isValid = await bcrypt.compare(password, hash);

// ✅ JWT with expiration
const token = jwt.sign(
  { userId: user.id },
  process.env.JWT_SECRET,
  { expiresIn: '1h' }
);

5. Input Validation

import { z } from 'zod';

const UserSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8),
  age: z.number().min(18).max(120)
});

// Validate before use
const result = UserSchema.safeParse(input);
if (!result.success) {
  throw new Error('Invalid input');
}

6. HTTPS & Headers

// ✅ Security headers
app.use(helmet());

// ✅ CORS configuration
app.use(cors({
  origin: ['https://yourdomain.com'],
  credentials: true
}));

7. Rate Limiting

import rateLimit from 'express-rate-limit';

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100 // limit per IP
});

app.use('/api', limiter);

References

• OWASP Top 10
• Node.js Security Checklist