PTS/SkyArtShop
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
b1f684e4fa8a92093ee4fa2e2bdd2c2418a6c373
SkyArtShop/docs/SECURITY_IMPLEMENTATION.md
Local Server e4b3de4a46 Updatweb
2025-12-19 20:44:46 -06:00

451 lines
9.3 KiB
Markdown
Raw Blame History

# SkyArtShop - Security & Production Implementation Complete
## Tech Stack
- **Backend**: Node.js v18+ with Express.js
- **Database**: PostgreSQL 14+
- **Session Store**: connect-pg-simple (PostgreSQL-backed sessions)
- **Frontend**: HTML5, CSS3, JavaScript (ES6+), Bootstrap 5
- **Process Manager**: PM2
- **Web Server**: Nginx (reverse proxy)
- **OS**: Linux (Ubuntu/Debian)
---
## Security Improvements Implemented
### 1. ✅ Environment Configuration (.env)
- Removed hardcoded credentials from `ecosystem.config.js`
- Created `.env` file for sensitive configuration
- Added `.env.example` template for deployment
**Files Modified:**
- Created: `.env`, `.env.example`
- Modified: `ecosystem.config.js`
---
### 2. ✅ Logging System (Winston)
- Replaced all `console.log`/`console.error` with structured logging
- Implemented log rotation (10MB max, 5 files)
- Separate error and combined logs
- Console output for development environment
**Files Created:**
- `backend/config/logger.js`
**Files Modified:**
- All route files: `auth.js`, `admin.js`, `public.js`, `users.js`, `upload.js`
- Middleware: `auth.js`
- Config: `database.js`
---
### 3. ✅ Rate Limiting
- API rate limiter: 100 requests per 15 minutes
- Auth rate limiter: 5 login attempts per 15 minutes
- Upload rate limiter: 50 uploads per hour
**Files Created:**
- `backend/config/rateLimiter.js`
**Applied to:**
- All `/api/*` routes
- Login/logout endpoints
- File upload endpoint
---
### 4. ✅ Input Validation & Sanitization
- Implemented express-validator for all inputs
- SQL injection protection via parameterized queries
- XSS protection via input escaping
- Email normalization
- Strong password requirements (8+ chars, uppercase, lowercase, number)
**Files Created:**
- `backend/middleware/validators.js`
**Validators Added:**
- Login validation
- User creation/update validation
- Product CRUD validation
- Blog post validation
- Pagination validation
---
### 5. ✅ Security Headers (Helmet.js)
- Content Security Policy (CSP)
- HTTP Strict Transport Security (HSTS)
- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection
**Configuration:**
- Modified: `backend/server.js`
---
### 6. ✅ Error Handling
- Centralized error handler
- Production vs development error responses
- PostgreSQL error translation
- Async error wrapper
- Custom AppError class
**Files Created:**
- `backend/middleware/errorHandler.js`
**Features:**
- Hide sensitive error details in production
- Log all errors with context
- Standardized error responses
- 404 handler
---
### 7. ✅ Database Transaction Support
- Transaction helper function
- Rollback on error
- Connection pooling (max 20 connections)
**Files Modified:**
- `backend/config/database.js`
**Added:**
- `transaction()` helper function
- `healthCheck()` function
---
### 8. ✅ File Upload Security
- MIME type validation
- File extension whitelist
- File size limits (5MB default)
- Filename sanitization
- Upload rate limiting
- Automatic cleanup on errors
**Files Modified:**
- `backend/routes/upload.js`
**Security Features:**
- Only allow image types (jpeg, png, gif, webp)
- Limit filename length to 50 characters
- Generate unique filenames
- Log all upload attempts
- Clean up failed uploads
---
### 9. ✅ Health Check Endpoint
- Real database connectivity test
- Memory usage monitoring
- Uptime tracking
- Graceful degradation
**Endpoint:**
- `GET /health`
**Returns:**
- Database connection status
- Server uptime
- Memory usage
- Timestamp
---
### 10. ✅ Graceful Shutdown
- Proper SIGTERM/SIGINT handling
- Close HTTP connections gracefully
- Close database pool
- 10-second forced shutdown timeout
**Files Modified:**
- `backend/server.js`
---
## Security Best Practices Applied
### Authentication & Authorization
- ✅ Bcrypt password hashing (rounds: 12)
- ✅ Session-based authentication
- ✅ HttpOnly secure cookies (production)
- ✅ Role-based access control (RBAC)
- ✅ Session expiry (24 hours)
- ✅ Last login tracking
### Input Validation
- ✅ All user inputs validated
- ✅ SQL injection prevention (parameterized queries)
- ✅ XSS prevention (input escaping)
- ✅ Email validation and normalization
- ✅ Strong password requirements
### API Security
- ✅ Rate limiting on all endpoints
- ✅ CORS configuration ready
- ✅ Trust proxy for nginx reverse proxy
- ✅ Request logging with IP tracking
### File Security
- ✅ File type validation
- ✅ File size limits
- ✅ Filename sanitization
- ✅ Unique filename generation
- ✅ Upload rate limiting
### Error Handling
- ✅ No sensitive data in error messages
- ✅ All errors logged with context
- ✅ Production vs development error responses
- ✅ PostgreSQL error translation
### Logging & Monitoring
- ✅ Structured logging (Winston)
- ✅ Log rotation
- ✅ Separate error logs
- ✅ Request logging
- ✅ Security event logging (failed logins, etc.)
---
## Required Environment Variables
Create `.env` file in project root:
```env
NODE_ENV=production
PORT=5000
HOST=0.0.0.0
DB_HOST=localhost
DB_PORT=5432
DB_NAME=skyartshop
DB_USER=skyartapp
DB_PASSWORD=your_secure_password_here
SESSION_SECRET=generate_a_random_string_at_least_32_characters_long
UPLOAD_DIR=/var/www/skyartshop/uploads
MAX_FILE_SIZE=5242880
ALLOWED_FILE_TYPES=image/jpeg,image/png,image/gif,image/webp
RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX_REQUESTS=100
BCRYPT_ROUNDS=12
LOG_LEVEL=info
LOG_FILE=logs/app.log
LOG_MAX_SIZE=10m
LOG_MAX_FILES=7d
```
---
## Deployment Checklist
### Before Production
- [ ] Generate strong `SESSION_SECRET` (32+ characters)
- [ ] Change all default passwords
- [ ] Set `NODE_ENV=production`
- [ ] Configure `CORS_ORIGIN` if needed
- [ ] Review and adjust rate limits
- [ ] Set up SSL/TLS certificates
- [ ] Configure nginx reverse proxy
- [ ] Set up firewall rules
- [ ] Enable log rotation
- [ ] Set up monitoring/alerts
- [ ] Backup database regularly
- [ ] Test all security features
### Nginx Configuration
```nginx
server {
listen 80;
server_name yourdomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name yourdomain.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
}
```
---
## Testing Commands
```bash
# Test server startup
npm start
# Check logs
tail -f backend/logs/combined.log
tail -f backend/logs/error.log
# Test health endpoint
curl http://localhost:5000/health
# Test rate limiting
for i in {1..10}; do curl http://localhost:5000/api/products; done
# Check for security vulnerabilities
npm audit
# Fix vulnerabilities
npm audit fix
```
---
## Known Issues & Recommendations
### Fixed Issues
1. ✅ Hardcoded credentials - Moved to .env
2. ✅ No input validation - Added express-validator
3. ✅ No rate limiting - Implemented multi-tier rate limiting
4. ✅ Console logging - Replaced with Winston
5. ✅ Poor error handling - Centralized error handler
6. ✅ No security headers - Added Helmet.js
7. ✅ Weak file upload security - Enhanced validation
8. ✅ No graceful shutdown - Implemented proper shutdown
### Recommendations for Future
1. **CSRF Protection**: Consider adding CSRF tokens for state-changing operations
2. **API Documentation**: Add Swagger/OpenAPI documentation
3. **Unit Tests**: Implement Jest/Mocha test suite
4. **Integration Tests**: Add supertest for API testing
5. **Database Migrations**: Use a migration tool (e.g., node-pg-migrate)
6. **Redis Session Store**: For better performance in production
7. **Caching**: Implement Redis caching for frequently accessed data
8. **Image Optimization**: Add sharp for image resizing/optimization
9. **Content Delivery**: Consider CDN for static assets
10. **Monitoring**: Add APM (Application Performance Monitoring)
---
## Database Tables Required
Ensure these tables exist in PostgreSQL:
- `adminusers` - Admin user accounts
- `roles` - User roles and permissions
- `products` - Product catalog
- `portfolioprojects` - Portfolio items
- `blogposts` - Blog articles
- `pages` - Static pages
- `uploads` - File upload tracking
- `session` - Session storage (auto-created)
- `sitesettings` - Site configuration
- `homepagesections` - Homepage content
---
## Support & Maintenance
### Log Files Location
- `backend/logs/combined.log` - All logs
- `backend/logs/error.log` - Error logs only
- `/var/log/skyartshop/pm2-*.log` - PM2 process logs
### Common Commands
```bash
# Start server
npm start
# Development mode with auto-restart
npm run dev
# Check PM2 status
pm2 status skyartshop
# Restart PM2
pm2 restart skyartshop
# View PM2 logs
pm2 logs skyartshop
# Stop server
pm2 stop skyartshop
```
---
## Security Contacts
For security issues, please review logs at:
- `backend/logs/error.log`
- PM2 logs via `pm2 logs`
Monitor for:
- Failed login attempts
- Rate limit violations
- File upload rejections
- Database errors
- Unhandled exceptions
---
**Last Updated**: December 18, 2025
**Version**: 2.0.0 (Production Ready)
Reference in New Issue View Git Blame Copy Permalink