Web Security Hardening

Security audit checklist for web applications. Run through each item when reviewing or building web apps.

Audit Workflow

1. Identify the framework (Node.js/Express, Python/Django/Flask, etc.)
2. Review each checklist item below
3. For implementation details, see framework-specific references:
   • Node.js/Express: See references/nodejs.md
   • Python/Django/Flask: See references/python.md
4. For production deployments, see references/production-gcp.md for extended checklist covering:
   • GCP infrastructure (IAM, networking, secrets)
   • CI/CD pipeline security
   • Monitoring & incident response
5. Report findings with severity and remediation steps

Security Checklist

1. Rate Limiting

Risk: DoS attacks, brute force attempts, API abuse

Check for:

• Per-endpoint rate limits (stricter on auth endpoints)
• Rate limit headers in responses (X-RateLimit-*)
• Appropriate limits for different user tiers

2. Security & Authorization Headers

Risk: XSS, clickjacking, MIME sniffing, info leakage

Required headers:

• Strict-Transport-Security (HSTS)
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY or SAMEORIGIN
• Content-Security-Policy
• Authorization header validation on protected routes

3. IP Block List (Public APIs)

Risk: Abuse from known bad actors, bot traffic

Check for:

• IP-based blocking mechanism
• Integration with threat intelligence feeds (optional)
• Logging of blocked requests

4. CORS Configuration

Risk: Unauthorized cross-origin requests, data theft

Check for:

• Explicit origin whitelist (not * in production)
• Appropriate methods and headers allowed
• Credentials handling if needed

5. Security Middleware

Risk: Common web vulnerabilities

Check for framework-appropriate middleware:

• Node.js: helmet
• Python: django-secure, flask-talisman
• Sets multiple security headers automatically

6. Input Validation

Risk: Injection attacks, data corruption, XSS

Check for:

• Frontend validation (UX, not security)
• Backend validation (required for security)
• Schema validation libraries (Zod, Joi, Pydantic, etc.)
• Sanitization of user input before storage/display

7. File Upload Limits

Risk: Storage exhaustion, malicious file uploads

Check for:

• Max file size limits
• Allowed file type restrictions (MIME + extension)
• File content validation (magic bytes)
• Secure storage location (outside webroot)

8. ORM for Database Access

Risk: SQL injection

Check for:

• Parameterized queries (never string concatenation)
• ORM usage (Prisma, Sequelize, SQLAlchemy, Django ORM)
• If raw SQL needed: prepared statements only

9. Password Hashing

Risk: Credential theft, rainbow table attacks

Check for:

• Strong algorithm: bcrypt, Argon2, or scrypt
• Appropriate cost factor (bcrypt rounds ≥10)
• No MD5, SHA1, or plain SHA256 for passwords
• No plaintext password storage or logging

Gotchas

• CORS credentials: true + origin: '*' fails silently in browsers — must specify explicit origin when using credentials
• helmet() defaults changed between v4 and v5 — CSP is no longer set by default in v5, must configure explicitly
• CSP unsafe-inline negates most XSS protection — if you need inline scripts, use nonces or hashes instead
• express.json() without limit accepts arbitrarily large payloads — always set limit: '1mb' or similar
• httpOnly cookies prevent XSS token theft but NOT CSRF — still need CSRF tokens or SameSite=Strict
• Rate limiting per IP fails behind reverse proxies — must set trust proxy and use X-Forwarded-For
• bcrypt silently truncates passwords at 72 bytes — use Argon2 for long passphrases or pre-hash with SHA-256

// WRONG: credentials with wildcard origin (silently fails)
app.use(cors({ origin: '*', credentials: true }));
// RIGHT: explicit origin
app.use(cors({ origin: 'https://app.example.com', credentials: true }));

// WRONG: helmet v5 without CSP (no longer set by default)
app.use(helmet());
// RIGHT: explicit CSP
app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"] } } }));

Audit Report Format

## Security Audit: [App Name]

### Summary
- **Items Passing**: X/9
- **Critical Issues**: X
- **Recommendations**: X

### Findings

#### [Item Name] - [PASS/FAIL/PARTIAL]
**Severity**: Critical/High/Medium/Low
**Finding**: [Description]
**Location**: [File/endpoint]
**Remediation**: [Steps to fix]