- Password Hashing:
bcryptjswith 10 salt rounds. - JWT: 24-hour expiration. Secret must be a random string of at least 64 characters.
- Helmet: Secure HTTP headers (XSS, Clickjacking).
- NoSQL Sanitization:
express-mongo-sanitizefilters$/.operators. - Rate Limiting: 5 login attempts per 15-minute window.
- CORS: Restricted to
FRONTEND_URLenvironment variable.
- Rate limiting on login route
- NoSQL injection protection
- HTTPS required (enforced by
SameSite: none; Securecookie flag) - Set
JWT_SECRETin production — generate withopenssl rand -base64 48 - Configure cloud logging to alert on repeated
401responses from a single IP