Enhanced Security Module 🔒

[Villarley]

Issue: Enhanced Security Module 🔒

Description

The API lacks standard HTTP security headers, unified CORS policy, request throttling, and structured input hardening. This increases the risk of clickjacking, XSS, brute-force abuse, and information leakage.

What is expected

• A dedicated SecurityModule that centralizes:
  • Helmet headers (HSTS, noSniff, frameguard, XSS filter where applicable).
  • CORS configuration with allowlist per environment.
  • Rate limiting for public routes.
  • Global validation (ValidationPipe) with whitelist/transform/forbidUnknownValues.
  • Request size limits (body parser).
• Security config is environment-driven (production vs development).

What should be modified

1. Create module & config
   • src/security/security.module.ts
   • src/security/security.config.ts (read from env: ALLOWED_ORIGINS, RATE_LIMIT_POINTS, RATE_LIMIT_DURATION, TRUST_PROXY, etc.).
2. App bootstrap
   • In main.ts:
     • Add Helmet.
     • Add CORS using allowlist from config.
     • Add global ValidationPipe({ whitelist: true, transform: true, forbidNonWhitelisted: true }).
     • Set body size limits (e.g., json({ limit: process.env.BODY_LIMIT || '1mb' })).
     • Trust proxy if behind a load balancer (app.set('trust proxy', 1) when TRUST_PROXY=true).
3. Rate limiting
   • Add @nestjs/throttler (or rate-limiter-flexible) via SecurityModule.
   • Default policy for public endpoints; allow per-route overrides (e.g., auth routes stricter).
4. Content Security Policy (CSP)
   • Provide sane defaults via Helmet; allow overrides via env (CSP_DEFAULT_SRC, etc.).
5. Env & examples
   • Update .env.example with:

     ALLOWED_ORIGINS=http://localhost:3000,https://yourapp.com
     RATE_LIMIT_POINTS=100
     RATE_LIMIT_DURATION=60
     BODY_LIMIT=1mb
     TRUST_PROXY=true
     

6. Docs
   • Add a “Security” section to README.md explaining policies and how to tweak envs.

Acceptance criteria

• All responses include Helmet headers (HSTS in production).
• CORS allowlist enforced from env; requests from disallowed origins are rejected.
• Global validation strips unknown fields and rejects invalid payloads.
• Rate limiting returns 429 when limits are exceeded; limits configurable by env.
• Body size limits enforced; oversized payloads return 413.
• CI passes and app boots with npm run start:dev and in production mode with security enabled.

[mmongee]

Hey, Im michael a student with technical degree in frontend development. I would like to contribute to have my first experiences applying all the knowledge i've been aquiring.

[Josue19-08]

Hi, I’m Josué. I’d like to take on this issue and implement a centralized SecurityModule to harden the API. My approach will be to configure Helmet for secure HTTP headers (HSTS, noSniff, frameguard, CSP defaults), set up a unified CORS policy driven by environment variables, and enforce global validation with ValidationPipe to sanitize and reject unexpected payloads. I’ll also integrate request size limits, trust proxy settings where applicable, and add rate limiting using @nestjs/throttler with sensible defaults and per-route overrides for sensitive endpoints.

Recommended by OnlyDust for high-quality and dependable contributions.

[laryhills]

Hi Villarey,

✅ Plan: I’ll add a centralized SecurityModule + env-driven security.config.ts, wire Helmet (HSTS, noSniff, frameguard, CSP defaults), enforce CORS allowlist from env, set global ValidationPipe (whitelist/transform/forbidNonWhitelisted), configure request size limits, and enable rate limiting (@nestjs/throttler) with per-route overrides. I’ll support proxy trust, update .env.example (ALLOWED_ORIGINS, RATE_LIMIT_POINTS/DURATION, BODY_LIMIT, TRUST_PROXY, CSP_*), add README “Security” docs, and ensure CI passes and both dev/prod boot with security enabled.

📌 Why Me: I’ve implemented security baselines in NestJS apps (Helmet, CORS, throttling, global validation) and can deliver a clean, configurable setup that hardens the API without disrupting existing routes.

Recommended by OnlyDust for high-quality and dependable contributions.

[GideonBature]

Please can you assign me this issue, would love to work on it!

Recommended by OnlyDust for exceptional experience, quality, and reliability.

[bernardev254]

Hello I am Bernard and am confident to take this issue.
I'll implement a dedicated SecurityModule with:
1.Helmet (HSTS/CSP/frameguard)
2. Env-driven CORS (strict allowlist)
3. Rate limiting (configurable thresholds)
4. ValidationPipe (whitelist + transform)
5. Body size limits + proxy trust

Recommended by OnlyDust for exceptional experience, quality, and reliability.

[JCGarage]

Hi team 👋,
I’d like to take ownership of this issue. I have experience setting up centralized security modules in NestJS (Helmet, CORS, ValidationPipe, throttling, etc.) and can implement the proposed structure (security.module.ts, security.config.ts, env-driven configuration, and app bootstrap changes).

My plan:

Create the SecurityModule and its config reading from env.

Apply global middlewares in main.ts (Helmet, CORS, ValidationPipe, body limits, trust proxy).

Integrate request throttling with @nestjs/throttler.

Add CSP defaults with Helmet, configurable via env.

Update .env.example and extend README with a new “Security” section.

Ensure acceptance criteria are met (tested both in dev and prod modes).

Let me know if anyone has objections; otherwise, I’ll start working on this. 🚀