• Lifetime: 15 minutes (recommended)
• Storage: sessionStorage (client-side)
• Transmission: Authorization header only
• Never: In URLs, localStorage, or cookies (client-side)

• Lifetime: 7 days (recommended)
• Storage: httpOnly cookie (backend) or sessionStorage (current implementation)
• Transmission: Request body for refresh endpoint
• Rotation: Recommended for production

✅ Advantages:

• Cleared on browser/tab close
• Not accessible across tabs
• Reduced XSS attack surface
• Better for sensitive data

❌ localStorage Risks:

• Persists indefinitely
• Accessible across all tabs
• Higher XSS risk
• Not cleared automatically

1. Content Security Policy (CSP)

   // next.config.ts
   const securityHeaders = [
     {
       key: 'Content-Security-Policy',
       value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"
     }
   ];

2. Input Sanitization

   • Always sanitize user input
   • Use React's built-in XSS protection
   • Avoid dangerouslySetInnerHTML

3. Dependency Security

   npm audit
   npm audit fix

// Enforce HTTPS in production
if (process.env.NODE_ENV === 'production' && !req.secure) {
  return res.redirect('https://' + req.headers.host + req.url);
}

// backend/src/main.ts
app.enableCors({
  origin: process.env.FRONTEND_URL,
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
  allowedHeaders: ['Content-Type', 'Authorization'],
});

// backend - Install: npm install @nestjs/throttler
import { ThrottlerModule } from '@nestjs/throttler';

@Module({
  imports: [
    ThrottlerModule.forRoot({
      ttl: 60,
      limit: 10,
    }),
  ],
})

• Prevents duplicate refresh calls
• Reduces server load
• Minimizes race conditions
• Already implemented ✅

// Recommended backend implementation
async refreshToken(refreshToken: string) {
  const payload = this.jwtService.verify(refreshToken);
  
  // Invalidate old refresh token
  await this.tokenBlacklist.add(refreshToken);
  
  // Generate new tokens
  return {
    access_token: this.generateAccessToken(payload),
    refresh_token: this.generateRefreshToken(payload), // New refresh token
  };
}

// Detect compromised tokens
if (await this.tokenBlacklist.exists(refreshToken)) {
  // Token reuse detected - possible security breach
  await this.revokeAllUserTokens(userId);
  throw new UnauthorizedException('Token reuse detected');
}

• JWT secret is strong (min 32 characters)
• JWT secret is stored in environment variables
• Access tokens expire in 15 minutes or less
• Refresh tokens expire in 7 days or less
• Refresh tokens are rotated on each use
• Token reuse is detected and handled
• Rate limiting is enabled on auth endpoints
• CORS is properly configured
• HTTPS is enforced in production
• Passwords are hashed with bcrypt (min 10 rounds)
• SQL injection protection is enabled
• Input validation is implemented
• Error messages don't leak sensitive info

• Tokens stored in sessionStorage (not localStorage)
• No tokens in URLs or query parameters
• CSP headers configured
• XSS protection enabled
• Dependencies are up to date
• npm audit shows no vulnerabilities
• Environment variables are properly configured
• API URL uses HTTPS in production
• Error messages don't expose sensitive data
• User input is sanitized

Risk: Attacker injects malicious scripts Mitigation:

• Use React (auto-escapes by default)
• Implement CSP headers
• Sanitize user input
• Avoid dangerouslySetInnerHTML

Risk: Unauthorized actions on behalf of user Mitigation:

// Use CSRF tokens for state-changing operations
import { csurf } from 'csurf';
app.use(csurf({ cookie: true }));

Risk: Attacker steals tokens Mitigation:

• Short token lifetime
• sessionStorage (cleared on close)
• HTTPS only
• httpOnly cookies for refresh tokens

Risk: Attacker intercepts communication Mitigation:

• HTTPS everywhere
• HSTS headers
• Certificate pinning (mobile apps)

Risk: Attacker guesses credentials Mitigation:

• Rate limiting
• Account lockout after failed attempts
• CAPTCHA after multiple failures
• Strong password requirements

// Security events to log
- Failed login attempts
- Token refresh failures
- Unusual access patterns
- API errors
- Rate limit violations

// Never log these
- Passwords
- Tokens (access or refresh)
- Credit card numbers
- Personal identification numbers
- API keys

• Sentry: Error tracking
• LogRocket: Session replay
• DataDog: Application monitoring
• CloudWatch: AWS monitoring

1. Immediate Actions

   // Revoke all user tokens
   await this.revokeAllUserTokens(userId);
   
   // Force re-authentication
   await this.clearUserSessions(userId);
   
   // Notify user
   await this.sendSecurityAlert(userId);

2. Investigation

   • Check access logs
   • Identify affected users
   • Determine attack vector
   • Document findings

3. Prevention

   • Patch vulnerability
   • Update security measures
   • Rotate secrets if needed
   • Notify affected users

• User data is stored in sessionStorage (temporary)
• Data is cleared on browser close
• Users can delete data by logging out
• No persistent tracking without consent

• Encrypt data in transit (HTTPS)
• Encrypt data at rest (backend)
• Implement audit logging
• Access controls and authentication
• Regular security assessments

# Test XSS
<script>alert('XSS')</script>

# Test SQL Injection
' OR '1'='1

# Test CSRF
# Try making requests from different origin

# Test Rate Limiting
# Make multiple rapid requests

# Dependency vulnerabilities
npm audit

# OWASP ZAP
zap-cli quick-scan http://localhost:3000

# Snyk
snyk test

• All secrets in environment variables
• HTTPS configured
• Security headers configured
• Rate limiting enabled
• Error monitoring setup
• Logging configured
• Backup strategy in place
• Incident response plan documented

// next.config.ts
const securityHeaders = [
  {
    key: 'X-DNS-Prefetch-Control',
    value: 'on'
  },
  {
    key: 'Strict-Transport-Security',
    value: 'max-age=63072000; includeSubDomains; preload'
  },
  {
    key: 'X-Frame-Options',
    value: 'SAMEORIGIN'
  },
  {
    key: 'X-Content-Type-Options',
    value: 'nosniff'
  },
  {
    key: 'X-XSS-Protection',
    value: '1; mode=block'
  },
  {
    key: 'Referrer-Policy',
    value: 'origin-when-cross-origin'
  },
  {
    key: 'Permissions-Policy',
    value: 'camera=(), microphone=(), geolocation=()'
  }
];

• Review access logs
• Check for failed login attempts
• Monitor error rates

• Update dependencies
• Run security audit
• Review and rotate secrets
• Test backup restoration

• Security assessment
• Penetration testing
• Review and update policies
• Team security training

• OWASP Top 10
• OWASP Cheat Sheet Series
• JWT Best Practices
• Next.js Security
• NestJS Security

If you discover a security vulnerability:

1. DO NOT open a public issue
2. Email: security@yourdomain.com
3. Include:
   • Description of vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

We will respond within 48 hours.