Chapter 7: API Security
Chapter 7 of 14
Chapter 7: API Security
7.1 Security Best Practices
API security protects against common vulnerabilities and attacks.
// HTTPS enforcement
app.use((req, res, next) => {
if (process.env.NODE_ENV === 'production' && !req.secure) {
return res.redirect(`https://${req.headers.host}${req.url}`);
}
next();
});
// Input validation
const { body, param, query } = require('express-validator');
app.post('/api/users',
body('email').isEmail(),
body('password').isLength({ min: 8 }),
validateRequest,
createUser
);
// Rate limiting
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
message: 'Too many requests'
});
app.use('/api/', limiter);
// CORS configuration
const cors = require('cors');
app.use(cors({
origin: process.env.ALLOWED_ORIGINS.split(','),
credentials: true,
methods: ['GET', 'POST', 'PUT', 'DELETE'],
allowedHeaders: ['Content-Type', 'Authorization']
}));7.2 SQL Injection Prevention
// Always use parameterized queries
// Bad - Vulnerable to SQL injection
const query = `SELECT * FROM users WHERE email = '${email}'`;
// Good - Safe
const query = 'SELECT * FROM users WHERE email = ?';
const [rows] = await pool.execute(query, [email]);7.3 XSS Prevention
// Sanitize user input
const validator = require('validator');
const sanitized = validator.escape(userInput);
// Content Security Policy
app.use((req, res, next) => {
res.setHeader('Content-Security-Policy',
'default-src 'self'; script-src 'self' 'unsafe-inline';');
next();
});