সিকিউরিটি ও অ্যাকসেস

সিকিউরিটি পলিসি

Supported version, disclosure process, response model এবং sensitive scope।

৩ মিনিট পড়া

Security

Purpose

This document describes the **defense-in-depth security architecture** of this boilerplate. Every layer — from HTTP headers to database queries to session tokens — is designed to resist common and advanced web attacks.


🔒 Why This Boilerplate Is Secure

This isn't a "add Helmet and you're done" approach. Security is built into every layer:

┌─────────────────────────────────────────────────────────┐
│  Layer 1: HTTP Security Headers                         │
│  └─ CSP, HSTS, X-Frame-Options, Permissions-Policy...  │
├─────────────────────────────────────────────────────────┤
│  Layer 2: Middleware Security (proxy.ts)                │
│  └─ Auth gate, CSP nonce, security headers on ALL pages │
├─────────────────────────────────────────────────────────┤
│  Layer 3: API Security Middleware (withApiHandler)       │
│  └─ Global rate limiting, CSRF, body size, headers     │
├─────────────────────────────────────────────────────────┤
│  Layer 4: Auth Route Security                           │
│  └─ Origin validation, input sanitization, audit logs  │
├─────────────────────────────────────────────────────────┤
│  Layer 5: Session & Token                               │
│  └─ Signed HMAC tokens, HttpOnly cookies, MFA step-up  │
├─────────────────────────────────────────────────────────┤
│  Layer 6: Database Layer                                │
│  └─ Drizzle ORM (parameterized queries), atomic SQL    │
├─────────────────────────────────────────────────────────┤
│  Layer 7: CI/CD Security                                │
│  └─ CodeQL, CodeHawk, dependency review, gitleaks      │
└─────────────────────────────────────────────────────────┘

🛡️ Attack Coverage

This table shows which common web attacks are mitigated and how:

Attack Type Mitigation Location(s)
**XSS (Cross-Site Scripting)** Content Security Policy with nonce-based `strict-dynamic` — inline scripts require a per-request nonce `proxy.ts`, `security-headers.ts`
**CSRF** Double-submit cookie pattern — server validates token from cookie vs HTTP header `csrf.ts`, `api-security.ts`
**Brute Force Login** Account lockout after 5 failed attempts + IP-based rate limiting (15/min) `auth-user.repository.ts`, `login/route.ts`
**Account Enumeration** Generic error messages + dummy password hash for non-existent users `login/route.ts`
**DDoS / API Abuse** IP-based rate limiting on ALL API routes (100/min global, 30/min auth) `api-security.ts`, `rate-limit.ts`
**Clickjacking** `X-Frame-Options: DENY` + `frame-ancestors 'none'` in CSP `security-headers.ts`, `next.config.ts`
**Open Redirect** Origin validation + safe redirect path utility `request-origin.ts`, `redirect.ts`
**Race Condition (Lockout)** Atomic SQL increment (`failed_login_attempts + 1`) prevents concurrent bypass `auth-user.repository.ts`
**Header Injection** User-agent and IP are sanitized (null bytes, CRLF stripped, length-limited) `input-validator.ts`
**MIME Type Confusion** `X-Content-Type-Options: nosniff` `security-headers.ts`, `next.config.ts`
**Protocol Downgrade** HSTS with `preload` + `upgrade-insecure-requests` in CSP `proxy.ts`, `next.config.ts`
**Session Hijacking** `HttpOnly` + `SameSite=Strict` + `Secure` cookies, HMAC-signed tokens `session.ts`, `cookie-security.ts`
**Password Brute Force** Scrypt key derivation (CPU/memory-hard) + complexity validation (8+ chars, upper, lower, number) `password.ts`, `auth.schema.ts`
**Resource Exhaustion** Request body size limit (100 KB) + Content-Length validation `api-security.ts`, `input-validator.ts`
**ReDoS (Regex DoS)** All string inputs have explicit max-length limits before regex evaluation `input-validator.ts`
**Dependency Vulnerabilities** `pnpm audit` in CI + Dependabot auto-merge (patch-only, production deps) `ci.yml`, `dependabot-auto-merge.yml`
**Secret Leakage** Gitleaks scan in CI + `.env.local` gitignored + `.env.example` as template `check-all.sh`, `.gitignore`
**Supply Chain** Dependency review action + `frozen-lockfile` installs `dependency-review.yml`, `ci.yml`

🔐 Security Architecture Details

1. HTTP Security Headers (Layer 1)

Every response includes security headers, applied at **three levels** (defense-in-depth):

Level File When Applied
CDN/Edge `next.config.ts` Before request reaches middleware
Middleware `proxy.ts` On every page navigation
API Routes `api-security.ts` On every API response

**Headers Applied:**

Header Value Prevents
`Content-Security-Policy` `default-src 'self'; script-src 'self' 'nonce-...' 'strict-dynamic'; ...` XSS
`Strict-Transport-Security` `max-age=31536000; includeSubDomains; preload` Protocol downgrade
`X-Frame-Options` `DENY` Clickjacking
`X-Content-Type-Options` `nosniff` MIME confusion
`X-XSS-Protection` `0` Legacy XSS filter
`Referrer-Policy` `strict-origin-when-cross-origin` Referrer leakage
`Permissions-Policy` `camera=(), microphone=(), geolocation=(), interest-cohort=(), browsing-topics=()` Feature abuse
`Cross-Origin-Opener-Policy` `same-origin` Cross-origin isolation
`Cross-Origin-Resource-Policy` `same-site` Resource sharing
`Cross-Origin-Embedder-Policy` `require-corp` Cross-origin embedding

2. CSP with Nonce (Layer 2)

The Content Security Policy uses a **cryptographically random nonce** generated per-request:

  1. `proxy.ts` generates a unique nonce (`crypto.randomUUID() → base64`)
  2. Nonce is injected into the CSP header
  3. Nonce is also set as `x-nonce` header for server-side rendering
  4. Server-rendered React components can access `headers().get("x-nonce")` to add `nonce={nonce}` to inline `