Scale to 500+ concurrent users with security hardening

[Copilot]

ExamGuard was limited to 50-100 concurrent users due to single-process architecture, lack of connection pooling, and missing compression. Security vulnerabilities included hardcoded JWT secret fallback and no input validation or rate limiting.

Scalability

• Cluster mode: Multi-core utilization with automatic worker restart (cluster.ts, new start:cluster script)
• Connection pooling: Centralized Prisma client replaces per-module instantiation
• Compression: gzip middleware reduces bandwidth
• Health endpoint: /health returns uptime, memory, status for load balancers

Security

• JWT secret enforcement: Removed "Ronak" fallback, server exits if JWT_SECRET unset
• Input validation: Zod schemas on auth endpoints (email format, password min 6 chars)
• Rate limiting: 10 req/15min on auth routes
• Security headers: Helmet.js for XSS/clickjacking protection

Example

// Before: weak default
const JWT_SECRET = process.env.JWT_SECRET || "Ronak";

// After: fails fast
if (!process.env.JWT_SECRET) {
  throw new Error("JWT_SECRET environment variable is not set");
}
const JWT_SECRET = process.env.JWT_SECRET;

// Input validation
const validation = signupSchema.safeParse(req.body);
if (!validation.success) {
  return res.status(400).json({ error: validation.error.issues[0].message });
}

Breaking Change

⚠️ JWT_SECRET environment variable now required. Server will not start without it.

Dependencies

• compression, helmet, express-rate-limit, zod

Original prompt

Overview

The ExamGuard application currently has scalability and security limitations that restrict it to handling only 50-100 concurrent users. This PR should implement improvements to support 500+ concurrent users.

Current Issues

Scalability Issues

1. Single Process Node.js - Can't utilize multiple CPU cores
2. No Database Connection Pooling - Default Prisma pool size is too small
3. No Response Compression - Increased bandwidth usage
4. No Redis Adapter for Socket.IO - Can't scale horizontally
5. No Health Check Endpoints - Difficult to monitor server health

Security Issues

1. Hardcoded JWT Secret Fallback - In server/src/controllers/auth.controller.ts and server/src/middleware/auth.middleware.ts, the JWT secret has a weak fallback value "Ronak"
2. No Input Validation - User inputs (email, password, name) are not validated
3. No Rate Limiting - Auth endpoints vulnerable to brute-force attacks
4. No Security Headers - Missing helmet.js for security headers

Required Changes

1. Add Clustering Support

Create a new server/src/cluster.ts file that:

• Detects if running as primary process
• Forks worker processes based on CPU count
• Handles worker crashes and restarts

2. Add Response Compression

• Install compression package
• Add compression middleware to Express app in server/src/index.ts

3. Increase Database Connection Pool

• Update Prisma client initialization to support connection pooling
• Add configuration for pool size via environment variables

4. Add Health Check Endpoint

• Add /health endpoint in server/src/index.ts that returns server status, memory usage, and uptime

5. Fix Security Issues

• Remove hardcoded JWT secret fallback in server/src/controllers/auth.controller.ts
• Remove hardcoded JWT secret fallback in server/src/middleware/auth.middleware.ts
• Throw an error if JWT_SECRET environment variable is not set
• Add input validation using zod for signup and login endpoints
• Add express-rate-limit for rate limiting on auth routes
• Add helmet for security headers

6. Update package.json

• Add new dependencies: compression, zod, express-rate-limit, helmet
• Add type definitions: @types/compression
• Add new scripts for cluster mode: "start:cluster": "node dist/cluster.js"

Expected Outcome

After these changes, the application should:

• Support 500+ concurrent users
• Have better security with validated inputs and rate limiting
• Be ready for horizontal scaling
• Have proper health monitoring endpoints

This pull request was created as a result of the following prompt from Copilot chat.

Overview

The ExamGuard application currently has scalability and security limitations that restrict it to handling only 50-100 concurrent users. This PR should implement improvements to support 500+ concurrent users.

Current Issues

Scalability Issues

1. Single Process Node.js - Can't utilize multiple CPU cores
2. No Database Connection Pooling - Default Prisma pool size is too small
3. No Response Compression - Increased bandwidth usage
4. No Redis Adapter for Socket.IO - Can't scale horizontally
5. No Health Check Endpoints - Difficult to monitor server health

Security Issues

1. Hardcoded JWT Secret Fallback - In server/src/controllers/auth.controller.ts and server/src/middleware/auth.middleware.ts, the JWT secret has a weak fallback value "Ronak"
2. No Input Validation - User inputs (email, password, name) are not validated
3. No Rate Limiting - Auth endpoints vulnerable to brute-force attacks
4. No Security Headers - Missing helmet.js for security headers

Required Changes

1. Add Clustering Support

Create a new server/src/cluster.ts file that:

• Detects if running as primary process
• Forks worker processes based on CPU count
• Handles worker crashes and restarts

2. Add Response Compression

• Install compression package
• Add compression middleware to Express app in server/src/index.ts

3. Increase Database Connection Pool

• Update Prisma client initialization to support connection pooling
• Add configuration for pool size via environment variables

4. Add Health Check Endpoint

• Add /health endpoint in server/src/index.ts that returns server status, memory usage, and uptime

5. Fix Security Issues

• Remove hardcoded JWT secret fallback in server/src/controllers/auth.controller.ts
• Remove hardcoded JWT secret fallback in server/src/middleware/auth.middleware.ts
• Throw an error if JWT_SECRET environment variable is not set
• Add input validation using zod for signup and login endpoints
• Add express-rate-limit for rate limiting on auth routes
• Add helmet for security headers

6. Update package.json

• Add new dependencies: compression, zod, express-rate-limit, helmet
• Add type definitions: @types/compression
• Add new scripts for cluster mode: "start:cluster": "node dist/cluster.js"

Expected Outcome

After these changes, the application should:

• Support 500+ concurrent users
• Have better security with validated inputs and rate limiting
• Be ready for horizontal scaling
• Have proper health monitoring endpoints

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
exam-guard	Ready	Preview	Comment	Dec 4, 2025 8:00pm