security: implement CRITICAL and MEDIUM security fixes with environment profiles
This commit addresses all CRITICAL and MEDIUM security vulnerabilities
identified in the security audit with environment-aware configuration.
## Docker Compose Profiles
- Added docker-compose.dev.yml for development (relaxed security)
- Added docker-compose.prod.yml for production (strict security)
- Environment-specific configurations for rate limiting, CSRF, logging
## CRITICAL Fixes (P0)
1. Fixed insecure random number generation
- Replaced Math.random() with crypto.randomBytes() for verification codes
- Now cryptographically secure
2. Implemented rate limiting
- express-rate-limit for all endpoints
- Strict limits on auth endpoints (5 attempts in dev=off, prod=5)
- Email endpoint limits (20 in dev, 3 in prod)
- API-wide rate limiting
3. Added request body size limits
- Development: 50MB (for testing)
- Production: 10KB (security)
4. Fixed user enumeration vulnerability
- Generic error message for registration
- No disclosure of which field exists
5. Added security headers
- helmet.js with CSP, HSTS, XSS protection
- No-sniff, hide powered-by headers
## MEDIUM Fixes (P1)
6. Strengthened password policy
- Environment-aware validation (8+ chars)
- Production: requires uppercase, lowercase, number
- Development: relaxed for testing
7. Enhanced input validation
- Validation for all auth endpoints
- WSDC ID validation (numeric, max 10 digits)
- Name validation (safe characters only)
- Email normalization
8. Added input sanitization
- DOMPurify for XSS prevention
- Sanitize all user inputs in emails
- Timing-safe string comparison for tokens
9. Improved error handling
- Generic errors in production
- Detailed errors only in development
- Proper error logging
10. Enhanced CORS configuration
- Whitelist-based origin validation
- Environment-specific allowed origins
- Credentials support
## New Files
- backend/src/config/security.js - Environment-aware security config
- backend/src/middleware/rateLimiter.js - Rate limiting middleware
- backend/src/utils/sanitize.js - Input sanitization utilities
- backend/.env.example - Development environment template
- backend/.env.production.example - Production environment template
- docker-compose.dev.yml - Development overrides
- docker-compose.prod.yml - Production configuration
- docs/DEPLOYMENT.md - Complete deployment guide
- docs/SECURITY_AUDIT.md - Full security audit report
- .gitignore - Updated to exclude .env files
## Dependencies Added
- helmet (^8.1.0) - Security headers
- express-rate-limit (^8.2.1) - Rate limiting
- dompurify (^3.3.0) - XSS prevention
- jsdom (^27.2.0) - DOM manipulation for sanitization
## Testing
- ✅ Password validation works (weak passwords rejected)
- ✅ User enumeration fixed (generic error messages)
- ✅ WSDC lookup functional
- ✅ Registration flow working
- ✅ Rate limiting active (environment-aware)
- ✅ Security headers present
## Usage
Development:
docker compose -f docker-compose.yml -f docker-compose.dev.yml up
Production:
docker compose -f docker-compose.yml -f docker-compose.prod.yml up
See docs/DEPLOYMENT.md for detailed instructions.
This commit is contained in:
Radosław Gierwiało
69
backend/.env.production.example
Normal file
69
backend/.env.production.example
Normal file
@@ -0,0 +1,69 @@
|
||||
# Production Environment Configuration
|
||||
# NEVER commit this file with real values!
|
||||
# Use environment variables or secrets manager in production
|
||||
|
||||
# Server
|
||||
NODE_ENV=production
|
||||
PORT=3000
|
||||
|
||||
# CORS - Your production domains
|
||||
CORS_ORIGIN=https://spotlight.cam,https://www.spotlight.cam
|
||||
|
||||
# Database - Use managed database or strong credentials
|
||||
# NEVER use default passwords in production!
|
||||
DATABASE_URL=postgresql://prod_user:STRONG_PASSWORD_HERE@db:5432/spotlightcam_prod
|
||||
|
||||
# JWT - CRITICAL: Generate strong secrets
|
||||
# Generate with: openssl rand -base64 64
|
||||
JWT_SECRET=CHANGE_THIS_TO_RANDOM_64_CHAR_STRING
|
||||
JWT_EXPIRES_IN=24h
|
||||
|
||||
# AWS SES - Production credentials
|
||||
# BEST PRACTICE: Use IAM roles instead of access keys
|
||||
AWS_REGION=us-east-1
|
||||
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
|
||||
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
|
||||
SES_FROM_EMAIL=noreply@spotlight.cam
|
||||
SES_FROM_NAME=spotlight.cam
|
||||
|
||||
# Email Settings
|
||||
FRONTEND_URL=https://spotlight.cam
|
||||
VERIFICATION_TOKEN_EXPIRY=24h
|
||||
|
||||
# Security Settings - Production (strict)
|
||||
RATE_LIMIT_ENABLED=true
|
||||
RATE_LIMIT_WINDOW_MS=900000
|
||||
RATE_LIMIT_MAX=100
|
||||
RATE_LIMIT_AUTH_MAX=5
|
||||
RATE_LIMIT_EMAIL_MAX=3
|
||||
ENABLE_CSRF=true
|
||||
BODY_SIZE_LIMIT=10kb
|
||||
LOG_LEVEL=warn
|
||||
|
||||
# Password Policy - Enforced in production
|
||||
PASSWORD_MIN_LENGTH=8
|
||||
PASSWORD_REQUIRE_UPPERCASE=true
|
||||
PASSWORD_REQUIRE_LOWERCASE=true
|
||||
PASSWORD_REQUIRE_NUMBER=true
|
||||
PASSWORD_REQUIRE_SPECIAL=false
|
||||
|
||||
# Account Lockout - Enabled in production
|
||||
ENABLE_ACCOUNT_LOCKOUT=true
|
||||
MAX_LOGIN_ATTEMPTS=5
|
||||
LOCKOUT_DURATION_MINUTES=15
|
||||
|
||||
# Database Connection Pool
|
||||
DB_POOL_MIN=2
|
||||
DB_POOL_MAX=10
|
||||
|
||||
# Monitoring (optional)
|
||||
SENTRY_DSN=
|
||||
NEW_RELIC_LICENSE_KEY=
|
||||
|
||||
# IMPORTANT SECURITY NOTES:
|
||||
# 1. Generate JWT_SECRET with: openssl rand -base64 64
|
||||
# 2. Use AWS IAM roles instead of access keys when possible
|
||||
# 3. Use environment variables or secrets manager (AWS Secrets Manager, HashiCorp Vault)
|
||||
# 4. Never commit .env files to version control
|
||||
# 5. Rotate all secrets regularly (every 90 days)
|
||||
# 6. Use strong database passwords (20+ characters, mixed case, numbers, symbols)
|
||||
Reference in New Issue
Block a user