Skip to content

Security: Gabri-SF/portfolio

Security

SECURITY.md

Security Notes

Implemented Protections

  • Password Hashing: bcryptjs with 10 salt rounds.
  • JWT: 24-hour expiration. Secret must be a random string of at least 64 characters.
  • Helmet: Secure HTTP headers (XSS, Clickjacking).
  • NoSQL Sanitization: express-mongo-sanitize filters $/. operators.
  • Rate Limiting: 5 login attempts per 15-minute window.
  • CORS: Restricted to FRONTEND_URL environment variable.

Production Checklist

  • Rate limiting on login route
  • NoSQL injection protection
  • HTTPS required (enforced by SameSite: none; Secure cookie flag)
  • Set JWT_SECRET in production — generate with openssl rand -base64 48
  • Configure cloud logging to alert on repeated 401 responses from a single IP

There aren't any published security advisories