সিকিউরিটি ও অ্যাকসেস
সিকিউরিটি পলিসি
Supported version, disclosure process, response model এবং sensitive scope।
৩ মিনিট পড়া
Security
Purpose
This document describes the **defense-in-depth security architecture** of this boilerplate. Every layer — from HTTP headers to database queries to session tokens — is designed to resist common and advanced web attacks.
🔒 Why This Boilerplate Is Secure
This isn't a "add Helmet and you're done" approach. Security is built into every layer:
┌─────────────────────────────────────────────────────────┐
│ Layer 1: HTTP Security Headers │
│ └─ CSP, HSTS, X-Frame-Options, Permissions-Policy... │
├─────────────────────────────────────────────────────────┤
│ Layer 2: Middleware Security (proxy.ts) │
│ └─ Auth gate, CSP nonce, security headers on ALL pages │
├─────────────────────────────────────────────────────────┤
│ Layer 3: API Security Middleware (withApiHandler) │
│ └─ Global rate limiting, CSRF, body size, headers │
├─────────────────────────────────────────────────────────┤
│ Layer 4: Auth Route Security │
│ └─ Origin validation, input sanitization, audit logs │
├─────────────────────────────────────────────────────────┤
│ Layer 5: Session & Token │
│ └─ Signed HMAC tokens, HttpOnly cookies, MFA step-up │
├─────────────────────────────────────────────────────────┤
│ Layer 6: Database Layer │
│ └─ Drizzle ORM (parameterized queries), atomic SQL │
├─────────────────────────────────────────────────────────┤
│ Layer 7: CI/CD Security │
│ └─ CodeQL, CodeHawk, dependency review, gitleaks │
└─────────────────────────────────────────────────────────┘🛡️ Attack Coverage
This table shows which common web attacks are mitigated and how:
| Attack Type | Mitigation | Location(s) |
|---|---|---|
| **XSS (Cross-Site Scripting)** | Content Security Policy with nonce-based `strict-dynamic` — inline scripts require a per-request nonce | `proxy.ts`, `security-headers.ts` |
| **CSRF** | Double-submit cookie pattern — server validates token from cookie vs HTTP header | `csrf.ts`, `api-security.ts` |
| **Brute Force Login** | Account lockout after 5 failed attempts + IP-based rate limiting (15/min) | `auth-user.repository.ts`, `login/route.ts` |
| **Account Enumeration** | Generic error messages + dummy password hash for non-existent users | `login/route.ts` |
| **DDoS / API Abuse** | IP-based rate limiting on ALL API routes (100/min global, 30/min auth) | `api-security.ts`, `rate-limit.ts` |
| **Clickjacking** | `X-Frame-Options: DENY` + `frame-ancestors 'none'` in CSP | `security-headers.ts`, `next.config.ts` |
| **Open Redirect** | Origin validation + safe redirect path utility | `request-origin.ts`, `redirect.ts` |
| **Race Condition (Lockout)** | Atomic SQL increment (`failed_login_attempts + 1`) prevents concurrent bypass | `auth-user.repository.ts` |
| **Header Injection** | User-agent and IP are sanitized (null bytes, CRLF stripped, length-limited) | `input-validator.ts` |
| **MIME Type Confusion** | `X-Content-Type-Options: nosniff` | `security-headers.ts`, `next.config.ts` |
| **Protocol Downgrade** | HSTS with `preload` + `upgrade-insecure-requests` in CSP | `proxy.ts`, `next.config.ts` |
| **Session Hijacking** | `HttpOnly` + `SameSite=Strict` + `Secure` cookies, HMAC-signed tokens | `session.ts`, `cookie-security.ts` |
| **Password Brute Force** | Scrypt key derivation (CPU/memory-hard) + complexity validation (8+ chars, upper, lower, number) | `password.ts`, `auth.schema.ts` |
| **Resource Exhaustion** | Request body size limit (100 KB) + Content-Length validation | `api-security.ts`, `input-validator.ts` |
| **ReDoS (Regex DoS)** | All string inputs have explicit max-length limits before regex evaluation | `input-validator.ts` |
| **Dependency Vulnerabilities** | `pnpm audit` in CI + Dependabot auto-merge (patch-only, production deps) | `ci.yml`, `dependabot-auto-merge.yml` |
| **Secret Leakage** | Gitleaks scan in CI + `.env.local` gitignored + `.env.example` as template | `check-all.sh`, `.gitignore` |
| **Supply Chain** | Dependency review action + `frozen-lockfile` installs | `dependency-review.yml`, `ci.yml` |
🔐 Security Architecture Details
1. HTTP Security Headers (Layer 1)
Every response includes security headers, applied at **three levels** (defense-in-depth):
| Level | File | When Applied |
|---|---|---|
| CDN/Edge | `next.config.ts` | Before request reaches middleware |
| Middleware | `proxy.ts` | On every page navigation |
| API Routes | `api-security.ts` | On every API response |
**Headers Applied:**
| Header | Value | Prevents |
|---|---|---|
| `Content-Security-Policy` | `default-src 'self'; script-src 'self' 'nonce-...' 'strict-dynamic'; ...` | XSS |
| `Strict-Transport-Security` | `max-age=31536000; includeSubDomains; preload` | Protocol downgrade |
| `X-Frame-Options` | `DENY` | Clickjacking |
| `X-Content-Type-Options` | `nosniff` | MIME confusion |
| `X-XSS-Protection` | `0` | Legacy XSS filter |
| `Referrer-Policy` | `strict-origin-when-cross-origin` | Referrer leakage |
| `Permissions-Policy` | `camera=(), microphone=(), geolocation=(), interest-cohort=(), browsing-topics=()` | Feature abuse |
| `Cross-Origin-Opener-Policy` | `same-origin` | Cross-origin isolation |
| `Cross-Origin-Resource-Policy` | `same-site` | Resource sharing |
| `Cross-Origin-Embedder-Policy` | `require-corp` | Cross-origin embedding |
2. CSP with Nonce (Layer 2)
The Content Security Policy uses a **cryptographically random nonce** generated per-request:
- `proxy.ts` generates a unique nonce (`crypto.randomUUID() → base64`)
- Nonce is injected into the CSP header
- Nonce is also set as `x-nonce` header for server-side rendering
- Server-rendered React components can access `headers().get("x-nonce")` to add `nonce={nonce}` to inline `