protect against sql injection, xss, csrf

2025-09-16 12:27:15 -04:00
parent ce0b7bd0cc
commit a9fa579b6d
10 changed files with 1311 additions and 103 deletions
--- a/backend/server.js
+++ b/backend/server.js
@@ -9,7 +9,9 @@ const express = require("express");
 const cors = require("cors");
 const bodyParser = require("body-parser");
 const path = require("path");
+const helmet = require("helmet");
 const { sequelize } = require("./models"); // Import from models/index.js to ensure associations are loaded
+const { cookieParser } = require("./middleware/csrf");

 const authRoutes = require("./routes/auth");
 const userRoutes = require("./routes/users");
@@ -25,9 +27,52 @@ const PayoutProcessor = require("./jobs/payoutProcessor");

 const app = express();

-app.use(cors());
-app.use(bodyParser.json({ limit: "5mb" }));
-app.use(bodyParser.urlencoded({ extended: true, limit: "5mb" }));
+// Security headers
+app.use(
+  helmet({
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: ["'self'"],
+        styleSrc: ["'self'", "https://cdn.jsdelivr.net"],
+        fontSrc: ["'self'"],
+        scriptSrc: ["'self'", "https://accounts.google.com"],
+        imgSrc: ["'self'"],
+        connectSrc: ["'self'"],
+        frameSrc: ["'self'"],
+      },
+    },
+  })
+);
+
+// Cookie parser for CSRF
+app.use(cookieParser);
+
+// CORS with security settings
+app.use(
+  cors({
+    origin: process.env.FRONTEND_URL || "http://localhost:3000",
+    credentials: true,
+    optionsSuccessStatus: 200,
+  })
+);
+
+// Body parsing with size limits
+app.use(
+  bodyParser.json({
+    limit: "1mb",
+    verify: (req, res, buf) => {
+      // Store raw body for webhook verification
+      req.rawBody = buf;
+    },
+  })
+);
+app.use(
+  bodyParser.urlencoded({
+    extended: true,
+    limit: "1mb",
+    parameterLimit: 100, // Limit number of parameters
+  })
+);

 // Serve static files from uploads directory
 app.use("/uploads", express.static(path.join(__dirname, "uploads")));
@@ -54,10 +99,10 @@ sequelize
  .sync({ alter: true })
  .then(() => {
    console.log("Database synced");
-    
+
    // Start the payout processor
    const payoutJobs = PayoutProcessor.startScheduledPayouts();
-    
+
    app.listen(PORT, () => {
      console.log(`Server is running on port ${PORT}`);
    });