Purpose
Ensure MERN code is secure by default. For security output format and core refusal policy, see /shared-sec-baseline.
MERN-specific security concerns (always check)
- •NoSQL injection — reject
$-prefixed and dot-notation keys from user input - •Input validation — schema validation (Zod/Joi) at every API boundary
- •XSS — React escapes by default; audit
dangerouslySetInnerHTMLand raw HTML rendering - •CSRF — required when using cookie-based auth; use tokens or SameSite=Strict
- •Auth/authz gaps — verify authorization on every protected route handler, not just frontend
- •Token storage — avoid localStorage for sensitive tokens without justification; prefer httpOnly cookies
Standard security (brief check)
- •Error responses: safe envelopes, no stack traces or internal details
- •Rate limiting: on auth endpoints, expensive operations, public APIs
- •Dependencies: lockfile committed, no known critical vulnerabilities
Reference
For detailed OWASP/CWE mitigation patterns, see reference/mern-sec-reference.md