Chapter 11: Security Implementation
Chapter 11 of 15
Chapter 11: Security Implementation
11.1 Security Best Practices
Security is critical for production applications. Implement multiple layers of protection.
// Helmet for security headers
const helmet = require('helmet');
app.use(helmet());
// CORS configuration
const cors = require('cors');
app.use(cors({
origin: process.env.ALLOWED_ORIGINS.split(','),
credentials: true
}));
// Rate limiting
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100
});
app.use('/api/', limiter);11.2 Input Sanitization
// Sanitize user input
const expressValidator = require('express-validator');
app.post('/api/users',
body('email').isEmail().normalizeEmail(),
body('name').trim().escape(),
body('password').isLength({ min: 8 }),
async (req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// Process sanitized input
}
);11.3 SQL Injection Prevention
// Always use parameterized queries
// Bad
const query = `SELECT * FROM users WHERE email = '${email}'`;
// Good
const query = 'SELECT * FROM users WHERE email = ?';
const [rows] = await pool.execute(query, [email]);11.4 XSS Prevention
// Sanitize output
const DOMPurify = require('dompurify');
function sanitizeHtml(html) {
return DOMPurify.sanitize(html);
}
// React automatically escapes, but be careful with dangerouslySetInnerHTML
<div dangerouslySetInnerHTML={{ __html: sanitizeHtml(userContent) }} />