| Risk Area | Remediation Requirement | Implementation Code / Action |
|---|---|---|
| SQL Injection | Never concatenate input parameters into raw query execution blocks. | Use parameterized inputs: db.query('SELECT * FROM users WHERE id = $1', [userId]) |
| XSS Prevention | Establish Content Security Policy (CSP) headers to restrict loaded assets. | Implement Helmet.js: app.use(helmet()) |
| CORS | Tighten cross-origin allowances. Never set wildcards on credential endpoints. | Whitelisted origins in Express cors() middleware. |
| Secrets Leakage | Prevent configuration file leakage in version control. Scan for credentials. | Add .env to .gitignore, enable GitHub push scanning rules. |
| Dep Security | Detect known vulnerabilities inside npm dependencies. | Run npm audit weekly; activate GitHub Dependabot rules. |
| SSH Security | Hard Linux OS endpoints. Limit connections to administrators. | Disable root SSH login, switch port 22 access to whitelist-only IPs in security groups. |
# Standard strict Helmet.js configuration for Express
import helmet from 'helmet';
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://www.googletagmanager.com"],
styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
imgSrc: ["'self'", "data:", "https://images.unsplash.com"],
connectSrc: ["'self'", "https://api.yourapp.com"],
fontSrc: ["'self'", "https://fonts.gstatic.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
}
}
}));