This document outlines the security features and best practices implemented in the Chatty application.
- Access Tokens: Short-lived (15 minutes) JWT tokens for API access
- Refresh Tokens: Long-lived (7 days) tokens for seamless token renewal
- Secure Storage: Tokens are stored in memory/client-side storage (not localStorage for security)
- Automatic Renewal: Access tokens are automatically renewed using refresh tokens
- Hashing: Passwords are hashed using bcrypt with salt rounds
- Strength Validation: Minimum 8 characters, must contain uppercase, lowercase, numbers, and special characters
- No Plain Text Storage: Passwords are never stored in plain text
- Failed Attempt Tracking: Tracks consecutive failed login attempts per user
- Automatic Lockout: Account locked after 5 consecutive failed attempts
- Lockout Duration: 15-minute lockout period to prevent brute force attacks
- Manual Unlock: Administrative endpoint to unlock accounts
- Reset on Success: Failed attempt counter resets on successful login
- Global Middleware: All incoming requests are sanitized to prevent XSS and injection attacks
- DOMPurify Integration: Uses DOMPurify to clean HTML content
- Recursive Sanitization: Sanitizes nested objects and arrays in request bodies
- Query Parameters: GET parameters are also sanitized
- Custom CSRF Guard: JWT-based CSRF protection for HTML clients
- Token Validation: CSRF tokens are validated on state-changing requests
- Secure Headers: CSRF protection works alongside security headers
- Content Security Policy (CSP): Prevents XSS attacks
- X-Frame-Options: Prevents clickjacking attacks
- X-Content-Type-Options: Prevents MIME type sniffing
- Strict-Transport-Security: Enforces HTTPS connections
- Referrer-Policy: Controls referrer information leakage
- Production Restrictions: CORS origins restricted to allowed domains
- Development Flexibility: More permissive in development environment
- Credentials Support: Secure cookie/credential handling
- Method Restrictions: Only necessary HTTP methods allowed
- Global Throttling: 10 requests per minute per IP address
- Configurable Limits: TTL and limit values can be adjusted per environment
- Automatic Blocking: Excessive requests are automatically blocked
- Request Reset: User provides username to initiate reset
- Token Generation: Secure JWT token generated with short expiry (15 minutes)
- Token Storage: Reset token stored in database with expiry timestamp
- URL Generation: Secure reset URL generated with embedded token
- Email Notification: Reset link sent to user's email (currently logged to console)
- Token Validation: Reset token validated before allowing password change
- Password Update: New password hashed and stored securely
- Token Cleanup: Reset token removed after successful password change
POST /auth/forgot-password
Content-Type: application/json
{
"username": "johndoe"
}POST /auth/reset-password?token=<reset_token>
Content-Type: application/json
{
"password": "NewSecurePassword123!"
}- Failed login attempts
- Account lockouts
- Password reset requests
- Suspicious activities
- Generic Error Messages: Prevents information leakage through error messages
- Rate Limiting: Protects against brute force attacks
- Input Validation: Comprehensive validation prevents malformed data
# Database
DATABASE_URL="postgresql://username:password@localhost:5432/chatty_db"
# JWT Configuration
JWT_SECRET="your-super-secret-jwt-key-here"
# Application
PORT=3000
NODE_ENV=production
# CORS (Production)
ALLOWED_ORIGINS="https://yourdomain.com,https://www.yourdomain.com"- Set strong JWT_SECRET (32+ characters, random)
- Configure ALLOWED_ORIGINS for production domains
- Enable HTTPS/TLS certificates
- Set NODE_ENV=production
- Configure proper database credentials
- Enable security headers
- Set up monitoring and alerting
- Regular security audits and dependency updates
- Never commit secrets to version control
- Use environment variables for sensitive configuration
- Implement comprehensive input validation
- Follow principle of least privilege
- Regular security code reviews
- Use HTTPS in production
- Implement proper firewall rules
- Regular security updates and patches
- Monitor for security vulnerabilities
- Implement backup and recovery procedures
- Encourage strong password policies
- Educate about phishing attempts
- Promote two-factor authentication (future enhancement)
- Regular security awareness training
- Two-factor authentication (2FA)
- Email integration for password reset
- Advanced threat detection
- Audit logging system
- Security event monitoring dashboard
- Automated security testing (SAST/DAST)
- API versioning for backward compatibility
- Rate limiting per user account
- Session management improvements
If you discover a security vulnerability, please report it responsibly:
- Do not create public GitHub issues for security vulnerabilities
- Email security concerns to: [security@yourdomain.com]
- Include detailed information about the vulnerability
- Allow reasonable time for response and fix
- Detection: Monitor security events and logs
- Assessment: Evaluate impact and severity
- Containment: Isolate affected systems
- Recovery: Restore systems and data
- Lessons Learned: Document and improve processes