Security best practices

[eranshmil]

@yuvadm @noam-r

Which best practices should we use in order to make the server more secure?

• Rate limit preferences.
• CORS preferences.
• Prevent XSS and SQL Injection (we should find out if TypeORM do that for us)?
• Please take a look in the file https://github.com/botim/backend/blob/3600a3ba2cd271c146733809e83e7c085baca259/src/app.ts to see the current configurations.
• Anything else?

We should also monitor our repositories using https://snyk.io

[mderazon]

Security looks good to me. just a few commets:
cors - https://github.com/botim/backend/blob/master/src/app.ts#L77 should we limit the origin to be twitter.com only ? The extension manifest already have cors settings so it's fine.

https://github.com/botim/backend/blob/master/src/app.ts#L82 - I think helmet takes care of this by default so it's redundant. Otherwise Helmet is used which is great

https://github.com/botim/backend/blob/master/src/security/authentication.ts#L23 - usually api keys are sent via headers, not request body. Can use the Authorization header or X-API header

XSS - Looks like input is being sanitized
SQL injection - queries are parametrized correctly

All looks 💯 to me

[eranshmil]

cors - /src/app.ts@master#L77 should we limit the origin to be twitter.com only ? The extension manifest already have cors settings so it's fine.

The origin is chrome-extension://extension_id and the equivalent of Firefox.
I'll check if that's working, but I'm not quite sure if the current id of the dev version will be the same in the store.

/src/security/authentication.ts@master#L23 - usually api keys are sent via headers, not request body. Can use the Authorization header or X-API header

Agree. Will be changed.

SQL injection - queries are parametrized correctly

Is that enough?

All looks 💯 to me

Thanks for your feedback!