Security and Production readiness

Question

Security and Production readiness

hoangvvo opened this issue 5 years ago · 2 comments

Production readiness

Obviously, this is not production-ready. I do not suggest any to use this project in production as-it. The goal is we can go through the process and implement your own system.

In case you are not aware. This project is kept as simple as possible, thus missing a lot of security and usability consideration. I'm not or suggesting you to neglect them. It's simply because the scope of this project does not encompass them (for now) to avoid difficulty in understanding.

For example, Since we're handling authentication and user data, this aspect must be considered.

Sum up

There are many things missing, since I try to avoid being opinionated and prefer you to implement them yourself. Let's those be challenges to everyone.

Find issues with labels "Production readiness" labels and try it out.

Answer 1 · 2020-11-20T12:49:38.000Z

@hoangvvo As you closed this one, do you consider this template as "production-ready" in terms of security now?

Answer 2 · 2020-11-25T18:44:17.000Z

@hoangvvo As you closed this one, do you consider this template as "production-ready" in terms of security now?

The password is hashed properly and I probably checked some items from the security checklist, but by nature of any application, there can always be security issues.

There are some things you can do:

https://github.com/hoangvvo/nextjs-mongodb-app/blob/master/middlewares/session.js#L11: add cookie.httpOnly = true and cookie.secure = true. (important!)
Increase the key strength of bcryptjs, or switch to a stronger one like argon2
Make sure you secure all the environment variables
https://owasp.org/ is good resource.