Jackie/rentall-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f5fdcbfb82eb2a385cdcc460d5a4bbc17459af1d
rentall-app/backend/middleware/security.js
jackiettran 3e76769a3e backend logging
2025-09-22 18:38:51 -04:00

134 lines
3.4 KiB
JavaScript
Raw Blame History

const logger = require('../utils/logger');
// HTTPS enforcement middleware
const enforceHTTPS = (req, res, next) => {
// Skip HTTPS enforcement in development
if (
process.env.NODE_ENV === "dev" ||
process.env.NODE_ENV === "development"
) {
return next();
}
// Check if request is already HTTPS
const isSecure =
req.secure ||
req.headers["x-forwarded-proto"] === "https" ||
req.protocol === "https";
if (!isSecure) {
// Use configured allowed host to prevent Host Header Injection
const allowedHost = process.env.FRONTEND_URL;
// Log the redirect for monitoring
if (req.headers.host !== allowedHost) {
const reqLogger = logger.withRequestId(req.id);
reqLogger.warn("Host header mismatch during HTTPS redirect", {
requestHost: req.headers.host,
allowedHost,
ip: req.ip,
url: req.url,
eventType: 'SECURITY_HOST_MISMATCH'
});
}
// Redirect to HTTPS with validated host
return res.redirect(301, `https://${allowedHost}${req.url}`);
}
// Set Strict-Transport-Security header
res.setHeader(
"Strict-Transport-Security",
"max-age=31536000; includeSubDomains; preload"
);
next();
};
// Security headers middleware
const securityHeaders = (req, res, next) => {
// X-Content-Type-Options
res.setHeader("X-Content-Type-Options", "nosniff");
// X-Frame-Options
res.setHeader("X-Frame-Options", "DENY");
// Referrer-Policy
res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
// Permissions-Policy (formerly Feature-Policy)
res.setHeader(
"Permissions-Policy",
"camera=(), microphone=(), geolocation=(self)"
);
next();
};
// Request ID middleware for tracking
const requestId = require("crypto");
const addRequestId = (req, res, next) => {
req.id = requestId.randomBytes(16).toString("hex");
res.setHeader("X-Request-ID", req.id);
next();
};
// Log security events
const logSecurityEvent = (eventType, details, req) => {
const reqLogger = logger.withRequestId(req.id || "unknown");
const logEntry = {
eventType,
ip: req.ip || req.connection.remoteAddress,
userAgent: req.get("user-agent"),
userId: req.user?.id || "anonymous",
...details,
};
reqLogger.warn(`Security event: ${eventType}`, logEntry);
};
// Sanitize error messages to prevent information leakage
const sanitizeError = (err, req, res, next) => {
// Send sanitized error to client
const isDevelopment =
process.env.NODE_ENV === "dev" || process.env.NODE_ENV === "development";
if (err.status === 400) {
// Client errors can be more specific
return res.status(400).json({
error: err.message || "Bad Request",
requestId: req.id,
});
} else if (err.status === 401) {
return res.status(401).json({
error: "Unauthorized",
requestId: req.id,
});
} else if (err.status === 403) {
return res.status(403).json({
error: "Forbidden",
requestId: req.id,
});
} else if (err.status === 404) {
return res.status(404).json({
error: "Not Found",
requestId: req.id,
});
} else {
// Server errors should be generic in production
return res.status(err.status || 500).json({
error: isDevelopment ? err.message : "Internal Server Error",
requestId: req.id,
...(isDevelopment && { stack: err.stack }),
});
}
};
module.exports = {
enforceHTTPS,
securityHeaders,
addRequestId,
logSecurityEvent,
sanitizeError,
};
Reference in New Issue View Git Blame Copy Permalink