NestJS Security Standards
Priority: P0 (CRITICAL)
Authentication (JWT)
- •Strategy: Use
@nestjs/passportwithpassport-jwt. - •Algorithm: Enforce
RS256(preferred) orHS256. Rejectnone. - •Claims: Validate
issandaud. - •Tokens: Short access (15m), Long httponly refresh (7d).
- •MFA: Require 2FA for admin panels.
Authorization (RBAC)
- •Deny by default: Bind
AuthGuardglobally (APP_GUARD). - •Bypass: Create
@Public()decorator for open routes. - •Roles: Use
Reflector.getAllAndOverridefor Method/Class merge.
Cryptography
- •Hashing: Use Argon2id, not Bcrypt. See implementation.
- •Encryption: Use AES-256-GCM with KMS rotation. See implementation.
Hardening
- •Helmet: Mandatory. Enable HSTS, CSP.
- •CORS: Explicit origins only. No
*. - •Throttling: Use Redis-backed
@nestjs/throttlerin production. - •CSRF: Required for cookie-based auth. See implementation.
Data Protection
- •Sanitization: Use
ClassSerializerInterceptor+@Exclude(). - •Validation:
ValidationPipe({ whitelist: true })to prevent mass assignment. - •Audit: Log mutations (Who, What, When). See implementation.
Secrets Management
- •CI/CD: Run
npm audit --prodin pipelines. - •Runtime: Inject via vault (AWS Secrets Manager / HashiCorp Vault), not
.env.
Anti-Patterns
- •No Shadow APIs: Audit routes regularly; disable
/docsin production. - •No SSRF: Allowlist domains for all outgoing HTTP requests.
- •No SQLi: Use ORM; avoid raw
query()with string concatenation. - •No XSS: Sanitize HTML input with
dompurify.
Related Topics
common/security-standards | architecture | database