π Security Best Practices for Enterprise Applications
π Introduction
π― Why Enterprise Security Matters
In today's interconnected digital landscape, security is not just a featureβit's a fundamental requirement. Enterprise applications handle sensitive data, financial transactions, and critical business operations that make them prime targets for cyber attacks.
π Security Statistics That Matter
- 95% of successful cyber attacks are due to human error
- $4.45 million - Average cost of a data breach in 2023
- 287 days - Average time to identify and contain a breach
- 43% of cyber attacks target small businesses
- 300% increase in API attacks in the last year
Auth0 Integration
Enterprise-grade identity and access management with SSO, MFA, and advanced threat detection.
Read More βAPI Security
Multi-layer defense including authentication, rate limiting, input validation, and monitoring.
Read More βNetwork Security
Infrastructure hardening with HTTPS/TLS, firewalls, and network segmentation.
Read More βSecure Coding
Best practices for secrets management, error handling, and vulnerability prevention.
Read More βπ Auth0 Integration: Complete Enterprise Identity & Access Management
π‘ What is Auth0?
Auth0 is a cloud-based identity and access management platform that provides authentication and authorization services. It eliminates the complexity of building your own identity infrastructure while providing enterprise-grade security features.
ποΈ Why Auth0 for Enterprise Applications?
- Scalability: Handles millions of users with sub-second response times
- Security: Built-in protection against brute force, anomaly detection, and bot attacks
- Compliance: SOC 2, GDPR, HIPAA, PCI DSS compliant out of the box
- Integration: 30+ social providers, enterprise SSO, custom databases
- Customization: Rules, hooks, actions, and custom domains for branding
- Analytics: Comprehensive security analytics and threat intelligence
π― Auth0 Architecture Flow
User Request
Auth0 Login
Identity Verification
Token Generation
API Access
β οΈ Important Security Considerations
- Always use HTTPS for Auth0 callbacks
- Implement proper token validation
- Set appropriate token expiration times
- Enable anomaly detection and brute force protection
π§ Initial Auth0 Setup & Configuration
// Environment Configuration (.env file)
AUTH0_DOMAIN=your-tenant.auth0.com
AUTH0_CLIENT_ID=your-spa-client-id
AUTH0_CLIENT_SECRET=your-spa-client-secret
AUTH0_M2M_CLIENT_ID=your-m2m-client-id
AUTH0_M2M_CLIENT_SECRET=your-m2m-client-secret
AUTH0_AUDIENCE=https://your-api-identifier
AUTH0_CUSTOM_DOMAIN=auth.yourdomain.com
AUTH0_SCOPE=openid profile email
// Complete Auth0 Manager Class
const auth0 = require('auth0');
const { expressjwt: jwt } = require('express-jwt');
const jwks = require('jwks-rsa');
class EnterpriseAuth0Manager {
constructor() {
this.domain = process.env.AUTH0_DOMAIN;
this.customDomain = process.env.AUTH0_CUSTOM_DOMAIN;
// Management API Client for administrative operations
this.managementClient = new auth0.ManagementClient({
domain: this.domain,
clientId: process.env.AUTH0_M2M_CLIENT_ID,
clientSecret: process.env.AUTH0_M2M_CLIENT_SECRET,
scope: [
'read:users', 'update:users', 'create:users', 'delete:users',
'read:roles', 'update:roles', 'create:roles', 'delete:roles',
'read:user_idp_tokens', 'read:logs', 'read:anomaly_blocks',
'update:anomaly_blocks', 'read:attack_protection'
].join(' ')
});
this.initializeConfiguration();
}
async initializeConfiguration() {
try {
await this.setupCustomDomain();
await this.configureTenant();
await this.setupBranding();
await this.configureSecurityPolicies();
} catch (error) {
console.error('Auth0 initialization failed:', error);
throw error;
}
}
// Custom Domain Configuration
async setupCustomDomain() {
if (this.customDomain) {
try {
const customDomains = await this.managementClient.getCustomDomains();
if (customDomains.length === 0) {
const customDomain = await this.managementClient.createCustomDomain({
domain: this.customDomain,
type: 'auth0_managed_certs',
verification_method: 'txt'
});
console.log('Custom domain created:', customDomain);
}
} catch (error) {
console.error('Custom domain setup failed:', error.message);
}
}
}
// Tenant Configuration for Enterprise Security
async configureTenant() {
const tenantSettings = {
friendly_name: 'Enterprise Application',
support_email: 'support@yourdomain.com',
// Security Settings
session_lifetime: 720, // 12 hours
idle_session_lifetime: 72, // 3 days
token_lifetime: 86400, // 24 hours
token_lifetime_for_web: 7200, // 2 hours
// Compliance
compliance: {
gdpr_enabled: true,
data_retention_days: 365
}
};
try {
await this.managementClient.updateTenant(tenantSettings);
console.log('Tenant configured successfully');
} catch (error) {
console.error('Tenant configuration failed:', error.message);
}
}
}
π Single Page Application (SPA) Authentication
// Frontend SPA Authentication with PKCE
import { Auth0Client } from '@auth0/auth0-spa-js';
class SPAAuthManager {
constructor() {
this.auth0Client = new Auth0Client({
domain: process.env.REACT_APP_AUTH0_DOMAIN,
clientId: process.env.REACT_APP_AUTH0_CLIENT_ID,
authorizationParams: {
redirect_uri: window.location.origin,
audience: process.env.REACT_APP_AUTH0_AUDIENCE,
scope: 'openid profile email read:users'
},
// Security Configuration
useRefreshTokens: true,
cacheLocation: 'localstorage'
});
}
async login(options = {}) {
try {
await this.auth0Client.loginWithRedirect({
...options,
prompt: 'select_account'
});
} catch (error) {
console.error('Login failed:', error);
throw error;
}
}
async getAccessToken() {
try {
const token = await this.auth0Client.getTokenSilently({
detailedResponse: true,
timeoutInSeconds: 30
});
return token.access_token;
} catch (error) {
console.error('Token retrieval failed:', error);
if (error.error === 'login_required') {
await this.login();
}
throw error;
}
}
async logout() {
try {
await this.auth0Client.logout({
logoutParams: {
returnTo: window.location.origin
}
});
} catch (error) {
console.error('Logout failed:', error);
}
}
}
π‘οΈ Role-Based Access Control (RBAC)
// Enhanced permission middleware with context
const checkEnhancedPermissions = (requiredPermission, options = {}) => {
return async (req, res, next) => {
try {
const userId = req.auth.sub;
const rbacManager = new EnterpriseRBACManager(auth0Management);
const context = {
resourceOwnerId: req.params.userId || req.body.userId,
department: req.headers['x-department'] || req.user?.department,
ipAddress: req.ip,
userAgent: req.get('User-Agent')
};
const hasPermission = await rbacManager.checkPermission(
userId,
requiredPermission,
context
);
if (!hasPermission) {
return res.status(403).json({
error: 'Insufficient permissions',
required: requiredPermission
});
}
req.permissions = {
granted: requiredPermission,
context
};
next();
} catch (error) {
console.error('Permission check failed:', error);
res.status(500).json({
error: 'Permission check failed'
});
}
};
};
// Usage example
app.get('/api/admin/users',
jwtCheck,
checkEnhancedPermissions('manage:users'),
getUsersController
);
π‘οΈ API Security: Multi-Layer Defense Strategy
π― API Security Fundamentals
API security is critical as APIs become the primary attack vector. A comprehensive security strategy includes authentication, authorization, input validation, rate limiting, and monitoring.
β‘ Advanced Rate Limiting Strategy
const rateLimit = require('express-rate-limit');
const RedisStore = require('rate-limit-redis');
const redis = require('redis');
// Redis configuration for distributed rate limiting
const redisClient = redis.createClient({
host: process.env.REDIS_HOST,
port: process.env.REDIS_PORT,
password: process.env.REDIS_PASSWORD
});
// Intelligent rate limiting based on endpoint sensitivity
const createRateLimiter = (options) => {
const {
windowMs = 15 * 60 * 1000, // 15 minutes
max = 100,
skipSuccessfulRequests = false
} = options;
return rateLimit({
store: new RedisStore({
client: redisClient,
prefix: 'rl:'
}),
windowMs,
max,
skipSuccessfulRequests,
message: {
error: 'Too many requests',
retryAfter: Math.ceil(windowMs / 1000)
},
standardHeaders: true,
legacyHeaders: false
});
};
// Different rate limits for different endpoints
const authLimiter = createRateLimiter({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // 5 login attempts per 15 minutes
skipSuccessfulRequests: true
});
const apiLimiter = createRateLimiter({
windowMs: 1 * 60 * 1000, // 1 minute
max: 60 // 60 requests per minute
});
// Apply rate limiting
app.use('/api/auth', authLimiter);
app.use('/api/v1', apiLimiter);
π Input Validation & Sanitization
const Joi = require('joi');
const xss = require('xss');
const validator = require('validator');
// Comprehensive validation schemas
const userSchema = Joi.object({
email: Joi.string().email().lowercase().required(),
password: Joi.string()
.min(12)
.pattern(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])/)
.required(),
name: Joi.string().min(2).max(50).required()
});
// Advanced sanitization
const sanitizeInput = (data) => {
if (typeof data === 'string') {
let sanitized = xss(data, {
whiteList: {}, // Allow no HTML tags
stripIgnoreTag: true
});
sanitized = validator.escape(sanitized);
return sanitized.trim();
}
if (Array.isArray(data)) {
return data.map(sanitizeInput);
}
if (typeof data === 'object' && data !== null) {
const sanitizedObj = {};
for (const [key, value] of Object.entries(data)) {
sanitizedObj[key] = sanitizeInput(value);
}
return sanitizedObj;
}
return data;
};
// Validation middleware
const validateInput = (schema, source = 'body') => {
return (req, res, next) => {
const dataToValidate = req[source];
const { error, value } = schema.validate(dataToValidate, {
abortEarly: false,
stripUnknown: true
});
if (error) {
const validationErrors = error.details.map(detail => ({
field: detail.path.join('.'),
message: detail.message
}));
return res.status(400).json({
error: 'Validation failed',
details: validationErrors
});
}
const sanitizedData = sanitizeInput(value);
req[`validated${source.charAt(0).toUpperCase() + source.slice(1)}`] = sanitizedData;
next();
};
};
π SQL Injection Prevention
const { Pool } = require('pg');
// PostgreSQL with advanced security
class SecurePostgreSQLClient {
constructor() {
this.pool = new Pool({
connectionString: process.env.DATABASE_URL,
ssl: process.env.NODE_ENV === 'production',
max: 20,
idleTimeoutMillis: 30000
});
}
// Safe query execution with parameterized queries
async query(text, params = []) {
const client = await this.pool.connect();
try {
console.log('Executing query:', text.substring(0, 50) + '...');
const result = await client.query(text, params);
return result;
} catch (error) {
console.error('Database query error:', error.message);
throw new Error('Database operation failed');
} finally {
client.release();
}
}
// Safe user operations
async getUserById(userId) {
const query = `
SELECT id, email, name, created_at
FROM users
WHERE id = $1 AND deleted_at IS NULL
`;
const result = await this.query(query, [userId]);
return result.rows[0];
}
async createUser(userData) {
const { email, name, hashedPassword } = userData;
const query = `
INSERT INTO users (email, name, password_hash, created_at)
VALUES ($1, $2, $3, NOW())
RETURNING id, email, name, created_at
`;
const result = await this.query(query, [email, name, hashedPassword]);
return result.rows[0];
}
}
π Network Security: Infrastructure Hardening
π Network Security Fundamentals
Network security provides the foundation for all other security measures, protecting against network-level attacks and ensuring secure communication. It encompasses multiple layers of defense including perimeter security, traffic encryption, access controls, and monitoring systems.
π Network Security Statistics
- 68% of organizations experienced network security incidents in 2023
- $1.02 million - Average cost of a DDoS attack
- 80% of security breaches involve network vulnerabilities
- 200% increase in sophisticated network attacks
- 15 minutes - Average time for attackers to move laterally in compromised networks
ποΈ Network Security Architecture Layers
Perimeter Defense
Network Segmentation
Traffic Encryption
Access Control
Monitoring & Detection
π 1. HTTPS/TLS Configuration & SSL/TLS Best Practices
β οΈ TLS Security Considerations
- Always use TLS 1.2 or higher (disable older versions)
- Implement perfect forward secrecy (PFS)
- Use strong cipher suites and disable weak ones
- Implement certificate pinning for mobile applications
- Regular certificate rotation and monitoring
π Advanced HTTPS/TLS Configuration
const https = require('https');
const fs = require('fs');
const helmet = require('helmet');
const tls = require('tls');
// Advanced TLS Configuration
class SecureTLSConfig {
constructor() {
this.tlsOptions = {
// Certificate and key files
key: fs.readFileSync(process.env.TLS_PRIVATE_KEY_PATH),
cert: fs.readFileSync(process.env.TLS_CERTIFICATE_PATH),
ca: fs.readFileSync(process.env.TLS_CA_PATH), // Certificate Authority
// TLS Version Control
secureProtocol: 'TLSv1_3_method',
minVersion: 'TLSv1.2',
maxVersion: 'TLSv1.3',
// Strong Cipher Suites (ordered by preference)
ciphers: [
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-SHA384',
'ECDHE-RSA-AES128-SHA256',
'DHE-RSA-AES256-GCM-SHA384',
'DHE-RSA-AES128-GCM-SHA256'
].join(':'),
// Security Options
honorCipherOrder: true, // Server cipher preference
requestCert: false, // Client certificate validation
rejectUnauthorized: true,
// Perfect Forward Secrecy
dhparam: fs.readFileSync('path/to/dhparam.pem'),
// OCSP Stapling
enableTrace: false,
// Session management
sessionIdContext: 'secure-app',
ticketKeys: Buffer.from(process.env.TLS_TICKET_KEYS, 'hex')
};
}
// Create secure HTTPS server
createSecureServer(app) {
const server = https.createServer(this.tlsOptions, app);
// TLS event handlers
server.on('secureConnection', (tlsSocket) => {
console.log('Secure connection established:', {
protocol: tlsSocket.getProtocol(),
cipher: tlsSocket.getCipher(),
authorized: tlsSocket.authorized,
peerCertificate: tlsSocket.getPeerCertificate()
});
});
server.on('tlsClientError', (err, tlsSocket) => {
console.error('TLS Client Error:', err.message);
// Log potential attack attempts
this.logSecurityEvent('tls_client_error', {
error: err.message,
remoteAddress: tlsSocket.remoteAddress
});
});
return server;
}
// Certificate validation and monitoring
async validateCertificates() {
const cert = fs.readFileSync(process.env.TLS_CERTIFICATE_PATH);
const certInfo = tls.parseCertString(cert.toString());
const expiryDate = new Date(certInfo.validTo);
const daysUntilExpiry = Math.ceil((expiryDate - new Date()) / (1000 * 60 * 60 * 24));
if (daysUntilExpiry < 30) {
await this.alertCertificateExpiry(daysUntilExpiry);
}
return {
valid: daysUntilExpiry > 0,
daysUntilExpiry,
issuer: certInfo.issuer,
subject: certInfo.subject
};
}
async alertCertificateExpiry(days) {
console.warn(`Certificate expires in ${days} days!`);
// Implement alerting mechanism (email, Slack, etc.)
}
logSecurityEvent(eventType, details) {
console.warn('Security Event:', {
type: eventType,
timestamp: new Date().toISOString(),
details
});
}
}
// Enhanced security headers with Helmet
const configureSecurityHeaders = () => {
return helmet({
// Content Security Policy
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'nonce-{NONCE}'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "https://api.yourdomain.com"],
fontSrc: ["'self'", "https://fonts.gstatic.com"],
objectSrc: ["'none'"],
mediaSrc: ["'self'"],
frameSrc: ["'none'"],
childSrc: ["'none'"],
workerSrc: ["'self'"],
frameAncestors: ["'none'"],
upgradeInsecureRequests: []
},
reportUri: '/csp-report'
},
// HTTP Strict Transport Security (HSTS)
hsts: {
maxAge: 63072000, // 2 years
includeSubDomains: true,
preload: true
},
// X-Frame-Options
frameguard: {
action: 'deny'
},
// X-Content-Type-Options
noSniff: true,
// X-XSS-Protection
xssFilter: true,
// Referrer Policy
referrerPolicy: {
policy: 'strict-origin-when-cross-origin'
},
// Permissions Policy
permissionsPolicy: {
features: {
accelerometer: [],
camera: [],
geolocation: [],
gyroscope: [],
magnetometer: [],
microphone: [],
payment: [],
usb: []
}
},
// Hide X-Powered-By header
hidePoweredBy: true,
// DNS Prefetch Control
dnsPrefetchControl: {
allow: false
}
});
};
// Usage
const tlsConfig = new SecureTLSConfig();
const app = express();
app.use(configureSecurityHeaders());
const server = tlsConfig.createSecureServer(app);
server.listen(443, () => {
console.log('Secure HTTPS server running on port 443');
tlsConfig.validateCertificates();
});
π 2. Advanced CORS Configuration & API Security
π― CORS Security Principles
Cross-Origin Resource Sharing (CORS) controls how web applications can access resources from different domains. Proper CORS configuration prevents unauthorized cross-origin requests while enabling legitimate integrations.
π‘οΈ Enterprise CORS Configuration
const cors = require('cors');
class EnterpriseCORSManager {
constructor() {
this.allowedOrigins = new Set([
'https://yourdomain.com',
'https://app.yourdomain.com',
'https://admin.yourdomain.com',
'https://api.yourdomain.com'
]);
this.dynamicOrigins = new Map(); // For partner integrations
this.corsMetrics = {
allowed: 0,
blocked: 0,
errors: 0
};
}
// Dynamic origin management for partner APIs
addTrustedOrigin(origin, metadata = {}) {
this.dynamicOrigins.set(origin, {
...metadata,
addedAt: new Date(),
requestCount: 0
});
}
removeTrustedOrigin(origin) {
return this.dynamicOrigins.delete(origin);
}
// Advanced origin validation
validateOrigin(origin, callback) {
// Allow requests with no origin (mobile apps, Postman, etc.)
if (!origin) {
this.corsMetrics.allowed++;
return callback(null, true);
}
// Check static allowed origins
if (this.allowedOrigins.has(origin)) {
this.corsMetrics.allowed++;
return callback(null, true);
}
// Check dynamic origins (partner integrations)
if (this.dynamicOrigins.has(origin)) {
const originData = this.dynamicOrigins.get(origin);
originData.requestCount++;
originData.lastUsed = new Date();
this.corsMetrics.allowed++;
return callback(null, true);
}
// Log blocked origin for analysis
this.logBlockedOrigin(origin);
this.corsMetrics.blocked++;
callback(new Error(`Origin ${origin} not allowed by CORS policy`));
}
// Environment-specific CORS configuration
getCORSOptions(environment = 'production') {
const baseOptions = {
origin: (origin, callback) => this.validateOrigin(origin, callback),
credentials: true,
optionsSuccessStatus: 200,
maxAge: 86400, // 24 hours preflight cache
// Allowed methods
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
// Allowed headers
allowedHeaders: [
'Origin',
'X-Requested-With',
'Content-Type',
'Accept',
'Authorization',
'X-API-Key',
'X-Client-Version',
'X-Request-ID'
],
// Exposed headers
exposedHeaders: [
'X-Total-Count',
'X-Rate-Limit-Remaining',
'X-Rate-Limit-Reset',
'X-Request-ID'
]
};
// Environment-specific overrides
if (environment === 'development') {
baseOptions.origin = true; // Allow all origins in development
baseOptions.maxAge = 0; // Disable preflight caching
} else if (environment === 'testing') {
baseOptions.origin = /^https?:\/\/localhost(:\d+)?$/;
}
return baseOptions;
}
// CORS monitoring and analytics
getCORSMetrics() {
return {
...this.corsMetrics,
allowedOrigins: Array.from(this.allowedOrigins),
dynamicOrigins: Array.from(this.dynamicOrigins.keys()),
totalRequests: this.corsMetrics.allowed + this.corsMetrics.blocked
};
}
logBlockedOrigin(origin) {
console.warn('CORS: Blocked origin', {
origin,
timestamp: new Date().toISOString(),
userAgent: this.currentRequest?.get('User-Agent'),
ip: this.currentRequest?.ip
});
}
}
// Usage with Express
const corsManager = new EnterpriseCORSManager();
// Add partner origins dynamically
corsManager.addTrustedOrigin('https://partner1.com', {
partner: 'Partner One',
apiKey: 'partner1_key',
permissions: ['read']
});
const corsOptions = corsManager.getCORSOptions(process.env.NODE_ENV);
app.use(cors(corsOptions));
// CORS metrics endpoint
app.get('/api/admin/cors-metrics', (req, res) => {
res.json(corsManager.getCORSMetrics());
});
π₯ 3. Firewall Configuration & DDoS Protection
β οΈ Firewall Security Best Practices
- Implement principle of least privilege (deny by default)
- Regular firewall rule audits and cleanup
- Layer multiple firewall solutions (network + application)
- Monitor and log all firewall activities
- Implement geo-blocking for suspicious regions
π‘οΈ Application-Level Firewall & DDoS Protection
const rateLimit = require('express-rate-limit');
const slowDown = require('express-slow-down');
const MongoStore = require('rate-limit-mongo');
class ApplicationFirewall {
constructor() {
this.blacklistedIPs = new Set();
this.whitelistedIPs = new Set([
'127.0.0.1',
'::1',
'10.0.0.0/8',
'172.16.0.0/12',
'192.168.0.0/16'
]);
this.geoBlockedCountries = new Set(['CN', 'RU', 'KP']);
}
// IP-based access control
ipAccessControl() {
return (req, res, next) => {
const clientIP = this.getClientIP(req);
// Check whitelist first
if (this.isIPWhitelisted(clientIP)) {
return next();
}
// Check blacklist
if (this.blacklistedIPs.has(clientIP)) {
this.logSecurityEvent('blocked_ip_access', {
ip: clientIP,
reason: 'blacklisted'
});
return res.status(403).json({
error: 'Access denied',
code: 'IP_BLOCKED'
});
}
next();
};
}
// Geographic blocking
geoBlockMiddleware() {
return async (req, res, next) => {
const clientIP = this.getClientIP(req);
const country = await this.getCountryFromIP(clientIP);
if (this.geoBlockedCountries.has(country)) {
this.logSecurityEvent('geo_blocked_access', {
ip: clientIP,
country,
userAgent: req.get('User-Agent')
});
return res.status(403).json({
error: 'Access denied from your location',
code: 'GEO_BLOCKED'
});
}
next();
};
}
// SQL injection and XSS protection
maliciousRequestDetection() {
return (req, res, next) => {
const suspiciousData = [
JSON.stringify(req.query),
JSON.stringify(req.body),
JSON.stringify(req.params),
req.get('User-Agent') || '',
req.get('Referer') || ''
].join(' ');
for (const pattern of this.suspiciousPatterns) {
if (pattern.test(suspiciousData)) {
this.logSecurityEvent('malicious_request_detected', {
ip: this.getClientIP(req),
pattern: pattern.toString(),
url: req.originalUrl,
method: req.method,
userAgent: req.get('User-Agent'),
suspiciousData: suspiciousData.substring(0, 1000)
});
// Temporarily blacklist the IP
this.temporaryBlacklist(this.getClientIP(req), 3600000); // 1 hour
return res.status(400).json({
error: 'Malicious request detected',
code: 'MALICIOUS_REQUEST'
});
}
}
next();
};
}
// Advanced DDoS protection with adaptive thresholds
createDDoSProtection() {
// Progressive rate limiting
const createRateLimiter = (windowMs, max, skipSuccessfulRequests = false) => {
return rateLimit({
store: new MongoStore({
uri: process.env.MONGODB_URI,
collectionName: 'rateLimits',
expireTimeMs: windowMs
}),
windowMs,
max,
skipSuccessfulRequests,
standardHeaders: true,
legacyHeaders: false,
// Custom key generator (IP + User-Agent fingerprint)
keyGenerator: (req) => {
const ip = this.getClientIP(req);
const userAgent = req.get('User-Agent') || '';
const fingerprint = this.createFingerprint(userAgent);
return `${ip}:${fingerprint}`;
},
// Dynamic response based on violation severity
handler: (req, res) => {
const clientIP = this.getClientIP(req);
this.incrementViolationCount(clientIP);
const violations = this.getViolationCount(clientIP);
if (violations > 10) {
this.temporaryBlacklist(clientIP, 3600000); // 1 hour blacklist
}
res.status(429).json({
error: 'Too many requests',
retryAfter: Math.ceil(windowMs / 1000),
violations
});
}
});
};
// Progressive slowdown for suspicious behavior
const createSlowDown = (windowMs, delayAfter, delayMs) => {
return slowDown({
windowMs,
delayAfter,
delayMs,
skipSuccessfulRequests: true,
keyGenerator: (req) => {
return this.getClientIP(req);
}
});
};
return {
// General API protection
general: createRateLimiter(15 * 60 * 1000, 1000), // 1000 requests per 15 minutes
// Authentication endpoints (stricter)
auth: createRateLimiter(15 * 60 * 1000, 10, true), // 10 attempts per 15 minutes
// File upload endpoints
upload: createRateLimiter(60 * 60 * 1000, 50), // 50 uploads per hour
// Progressive slowdown
slowDown: createSlowDown(15 * 60 * 1000, 100, 500), // Slow down after 100 requests
// Burst protection
burst: createRateLimiter(60 * 1000, 50) // 50 requests per minute
};
}
// Utility methods
getClientIP(req) {
return req.ip ||
req.connection?.remoteAddress ||
req.socket?.remoteAddress ||
(req.headers['x-forwarded-for'] || '').split(',')[0].trim() ||
req.headers['x-real-ip'] ||
'unknown';
}
isIPWhitelisted(ip) {
for (const whitelistedIP of this.whitelistedIPs) {
if (this.isIPInRange(ip, whitelistedIP)) {
return true;
}
}
return false;
}
isIPInRange(ip, range) {
// Simplified CIDR check - implement proper CIDR matching in production
if (!range.includes('/')) {
return ip === range;
}
// Implement proper CIDR matching logic
return false;
}
createFingerprint(userAgent) {
const crypto = require('crypto');
return crypto.createHash('md5').update(userAgent).digest('hex').substring(0, 8);
}
temporaryBlacklist(ip, duration) {
this.blacklistedIPs.add(ip);
setTimeout(() => {
this.blacklistedIPs.delete(ip);
}, duration);
this.logSecurityEvent('ip_temporarily_blacklisted', {
ip,
duration,
timestamp: new Date().toISOString()
});
}
incrementViolationCount(ip) {
// Implementation depends on your storage solution
// Could use Redis, MongoDB, or in-memory store
}
getViolationCount(ip) {
// Implementation depends on your storage solution
return 0;
}
async getCountryFromIP(ip) {
// Implement using a service like MaxMind GeoIP
// This is a placeholder
return 'US';
}
logSecurityEvent(type, details) {
console.warn('Security Event:', {
type,
timestamp: new Date().toISOString(),
details
});
}
}
// Usage
const firewall = new ApplicationFirewall();
const ddosProtection = firewall.createDDoSProtection();
// Apply firewall middleware
app.use(firewall.ipAccessControl());
app.use(firewall.geoBlockMiddleware());
app.use(firewall.maliciousRequestDetection());
// Apply DDoS protection
app.use('/api/', ddosProtection.general);
app.use('/api/auth/', ddosProtection.auth);
app.use('/api/upload/', ddosProtection.upload);
app.use(ddosProtection.slowDown);
ποΈ 4. Network Segmentation & Zero Trust Architecture
π― Zero Trust Network Principles
Zero Trust assumes no implicit trust based on network location. Every request must be authenticated, authorized, and validated before granting access to resources.
π Zero Trust Implementation
class ZeroTrustNetworkManager {
constructor() {
this.networkZones = {
public: { trust: 0, color: 'red' },
dmz: { trust: 25, color: 'orange' },
internal: { trust: 50, color: 'yellow' },
secure: { trust: 75, color: 'blue' },
critical: { trust: 100, color: 'green' }
};
this.accessPolicies = new Map();
this.deviceRegistry = new Map();
this.riskScores = new Map();
}
// Device registration and trust scoring
registerDevice(deviceId, metadata) {
const device = {
id: deviceId,
...metadata,
registered: new Date(),
lastSeen: new Date(),
trustScore: this.calculateInitialTrustScore(metadata),
accessHistory: []
};
this.deviceRegistry.set(deviceId, device);
return device;
}
calculateInitialTrustScore(metadata) {
let score = 50; // Base score
// Factor in device type
if (metadata.managed) score += 20;
if (metadata.encrypted) score += 15;
if (metadata.patchLevel === 'current') score += 10;
if (metadata.antivirus) score += 5;
return Math.min(100, score);
}
// Dynamic risk assessment
assessRequestRisk(req) {
const factors = {
deviceTrust: this.getDeviceTrustScore(req),
geolocation: this.assessGeolocationRisk(req),
behavior: this.assessBehaviorRisk(req),
network: this.assessNetworkRisk(req),
time: this.assessTimeRisk(req)
};
const weights = {
deviceTrust: 0.3,
geolocation: 0.2,
behavior: 0.25,
network: 0.15,
time: 0.1
};
const riskScore = Object.keys(factors).reduce((total, factor) => {
return total + (factors[factor] * weights[factor]);
}, 0);
return {
score: Math.round(riskScore),
factors,
level: this.getRiskLevel(riskScore)
};
}
// Adaptive access control
createAdaptiveAccessMiddleware() {
return async (req, res, next) => {
const risk = this.assessRequestRisk(req);
const requiredTrustLevel = this.getRequiredTrustLevel(req.path);
// Log access attempt
this.logAccessAttempt(req, risk);
if (risk.level === 'high' && requiredTrustLevel > 50) {
// Require additional authentication
return this.requireStepUpAuth(req, res, next);
}
if (risk.level === 'critical') {
// Block access and alert
this.triggerSecurityAlert('critical_risk_access', { req, risk });
return res.status(403).json({
error: 'Access denied due to high risk',
riskLevel: risk.level,
factors: risk.factors
});
}
// Update device trust based on successful access
this.updateDeviceTrust(req, 'successful_access');
next();
};
}
// Micro-segmentation implementation
createMicroSegmentationRules() {
return {
// Database access - only from application servers
database: {
allowedSources: ['app-server-subnet'],
deniedSources: ['public', 'dmz'],
ports: [5432, 3306, 27017],
encryption: 'required'
},
// API servers - controlled external access
api: {
allowedSources: ['dmz', 'internal'],
ports: [80, 443],
rateLimiting: true,
encryption: 'required'
},
// Internal services - no external access
internal: {
allowedSources: ['internal', 'secure'],
deniedSources: ['public', 'dmz'],
ports: [8080, 9090],
encryption: 'preferred'
},
// Admin interfaces - highly restricted
admin: {
allowedSources: ['secure'],
requiresMFA: true,
timeRestrictions: '09:00-17:00',
encryption: 'required',
logging: 'verbose'
}
};
}
// Network monitoring and anomaly detection
startNetworkMonitoring() {
setInterval(() => {
this.analyzeTrafficPatterns();
this.detectAnomalies();
this.updateThreatIntelligence();
}, 60000); // Every minute
}
analyzeTrafficPatterns() {
// Implementation would analyze:
// - Connection volumes and patterns
// - Protocol usage anomalies
// - Unusual port activities
// - Geographic distribution changes
const patterns = this.getCurrentTrafficPatterns();
const anomalies = this.compareWithBaseline(patterns);
if (anomalies.length > 0) {
this.investigateAnomalies(anomalies);
}
}
detectAnomalies() {
// Machine learning-based anomaly detection
const currentMetrics = this.collectNetworkMetrics();
const anomalies = this.mlAnomalyDetection(currentMetrics);
anomalies.forEach(anomaly => {
this.handleAnomaly(anomaly);
});
}
// Utility methods
getDeviceTrustScore(req) {
const deviceId = req.headers['x-device-id'];
const device = this.deviceRegistry.get(deviceId);
return device ? device.trustScore : 0;
}
assessGeolocationRisk(req) {
const ip = req.ip;
const location = this.getIPLocation(ip);
// Higher risk for unexpected locations
if (this.isHighRiskCountry(location.country)) return 80;
if (this.isNewLocation(req.user?.id, location)) return 60;
return 20;
}
assessBehaviorRisk(req) {
const userId = req.user?.id;
if (!userId) return 50;
const recentBehavior = this.getUserRecentBehavior(userId);
return this.analyzeBehaviorDeviation(recentBehavior);
}
requireStepUpAuth(req, res, next) {
res.status(403).json({
error: 'Additional authentication required',
challenge: 'mfa',
methods: ['totp', 'sms', 'push']
});
}
triggerSecurityAlert(type, data) {
console.error('Security Alert:', {
type,
timestamp: new Date().toISOString(),
data
});
// Implement alerting system (email, Slack, PagerDuty, etc.)
}
logAccessAttempt(req, risk) {
const log = {
timestamp: new Date().toISOString(),
ip: req.ip,
userId: req.user?.id,
path: req.path,
method: req.method,
userAgent: req.get('User-Agent'),
riskScore: risk.score,
riskLevel: risk.level,
riskFactors: risk.factors
};
// Store in security log database
console.log('Access Log:', log);
}
}
// Usage
const zeroTrust = new ZeroTrustNetworkManager();
// Apply zero trust middleware
app.use(zeroTrust.createAdaptiveAccessMiddleware());
// Start monitoring
zeroTrust.startNetworkMonitoring();
// Configure micro-segmentation rules
const segmentationRules = zeroTrust.createMicroSegmentationRules();
console.log('Micro-segmentation rules configured:', segmentationRules);
π 5. Network Monitoring & Intrusion Detection
π Real-time Network Monitoring
const EventEmitter = require('events');
class NetworkSecurityMonitor extends EventEmitter {
constructor() {
super();
this.metrics = {
connections: 0,
bytesTransferred: 0,
requestsPerSecond: 0,
errorRate: 0,
suspiciousActivities: 0
};
this.alerts = [];
this.thresholds = {
maxConnectionsPerMinute: 1000,
maxErrorRatePercent: 5,
maxRequestsPerSecond: 100,
suspiciousPatternThreshold: 10
};
this.trafficBaseline = this.loadTrafficBaseline();
this.startRealTimeMonitoring();
}
startRealTimeMonitoring() {
// Monitor every 10 seconds
setInterval(() => {
this.collectMetrics();
this.analyzeMetrics();
this.checkThresholds();
}, 10000);
// Detailed analysis every minute
setInterval(() => {
this.performDetailedAnalysis();
}, 60000);
}
// Real-time metrics collection
collectMetrics() {
const currentTime = Date.now();
// Collect system metrics
this.metrics.cpuUsage = process.cpuUsage();
this.metrics.memoryUsage = process.memoryUsage();
this.metrics.timestamp = currentTime;
// Network-specific metrics would be collected here
// This would typically integrate with network monitoring tools
}
// Intrusion detection patterns
detectIntrusionPatterns(req) {
const patterns = {
sqlInjection: this.detectSQLInjection(req),
xssAttempt: this.detectXSSAttempt(req),
pathTraversal: this.detectPathTraversal(req),
bruteForce: this.detectBruteForce(req),
scanningBehavior: this.detectPortScanning(req),
ddosPattern: this.detectDDoSPattern(req)
};
const detectedPatterns = Object.keys(patterns).filter(key => patterns[key]);
if (detectedPatterns.length > 0) {
this.handleIntrusionDetection(req, detectedPatterns);
}
return detectedPatterns;
}
detectSQLInjection(req) {
const sqlPatterns = [
/(\bUNION\b|\bSELECT\b|\bINSERT\b|\bDROP\b|\bDELETE\b)/gi,
/(\bOR\b|\bAND\b)\s+\d+\s*=\s*\d+/gi,
/'\s*(OR|AND)\s+'[^']*'/gi,
/;\s*(DROP|DELETE|INSERT|UPDATE)/gi
];
const requestData = JSON.stringify({
query: req.query,
body: req.body,
params: req.params
});
return sqlPatterns.some(pattern => pattern.test(requestData));
}
detectXSSAttempt(req) {
const requestData = JSON.stringify(req.body) + JSON.stringify(req.query);
return xssPatterns.some(pattern => pattern.test(requestData));
}
detectPathTraversal(req) {
const pathPatterns = [
/\.\.\//g,
/\.\.\\+/g,
/%2e%2e%2f/gi,
/%252e%252e%252f/gi
];
const url = req.originalUrl;
return pathPatterns.some(pattern => pattern.test(url));
}
detectBruteForce(req) {
const ip = req.ip;
const endpoint = req.path;
// Check for repeated failed attempts
const failedAttempts = this.getFailedAttempts(ip, endpoint);
return failedAttempts > 10; // Threshold for brute force
}
// Enhanced monitoring middleware
createMonitoringMiddleware() {
return (req, res, next) => {
const startTime = Date.now();
// Detect intrusion patterns
const detectedPatterns = this.detectIntrusionPatterns(req);
if (detectedPatterns.length > 0) {
this.logSecurityIncident('intrusion_detected', {
ip: req.ip,
patterns: detectedPatterns,
url: req.originalUrl,
method: req.method,
userAgent: req.get('User-Agent')
});
}
// Monitor response
res.on('finish', () => {
const responseTime = Date.now() - startTime;
this.recordRequest({
ip: req.ip,
method: req.method,
url: req.originalUrl,
statusCode: res.statusCode,
responseTime,
userAgent: req.get('User-Agent'),
timestamp: new Date()
});
// Update metrics
this.updateMetrics(req, res, responseTime);
});
next();
};
}
// Security incident handling
handleIntrusionDetection(req, patterns) {
const incident = {
id: this.generateIncidentId(),
timestamp: new Date(),
severity: this.calculateSeverity(patterns),
source: req.ip,
patterns,
request: {
method: req.method,
url: req.originalUrl,
headers: req.headers,
body: req.body
}
};
this.emit('security-incident', incident);
// Auto-response based on severity
if (incident.severity >= 8) {
this.autoBlockIP(req.ip, 3600000); // 1 hour block
}
return incident;
}
// Performance and availability monitoring
monitorPerformance() {
return setInterval(() => {
const metrics = {
avgResponseTime: this.calculateAverageResponseTime(),
errorRate: this.calculateErrorRate(),
throughput: this.calculateThroughput(),
availability: this.calculateAvailability()
};
// Check for performance anomalies
if (metrics.avgResponseTime > 5000) { // 5 seconds
this.triggerAlert('high_response_time', metrics);
}
if (metrics.errorRate > 0.05) { // 5% error rate
this.triggerAlert('high_error_rate', metrics);
}
this.emit('performance-metrics', metrics);
}, 30000); // Every 30 seconds
}
// Alert management
triggerAlert(type, data) {
const alert = {
id: this.generateAlertId(),
type,
severity: this.getAlertSeverity(type),
timestamp: new Date(),
data,
acknowledged: false
};
this.alerts.push(alert);
this.emit('security-alert', alert);
// Send notifications based on severity
if (alert.severity >= 7) {
this.sendEmergencyNotification(alert);
}
return alert;
}
// Utility methods
logSecurityIncident(type, details) {
console.warn('Security Incident:', {
type,
timestamp: new Date().toISOString(),
details
});
}
generateIncidentId() {
return `INC-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
}
calculateSeverity(patterns) {
const severityMap = {
sqlInjection: 9,
xssAttempt: 7,
pathTraversal: 8,
bruteForce: 6,
scanningBehavior: 5,
ddosPattern: 10
};
return Math.max(...patterns.map(p => severityMap[p] || 1));
}
}
// Usage
const monitor = new NetworkSecurityMonitor();
// Apply monitoring middleware
app.use(monitor.createMonitoringMiddleware());
// Start performance monitoring
monitor.monitorPerformance();
// Event handlers
monitor.on('security-incident', (incident) => {
console.error('Security Incident Detected:', incident);
// Implement incident response procedures
});
monitor.on('security-alert', (alert) => {
console.warn('Security Alert:', alert);
// Implement alerting system
});
monitor.on('performance-metrics', (metrics) => {
console.log('Performance Metrics:', metrics);
// Store metrics for analysis and reporting
});
π 6. Network Security Compliance & Auditing
π Compliance Monitoring & Reporting
class NetworkComplianceManager {
constructor() {
this.complianceStandards = {
'PCI-DSS': {
requirements: [
'secure_network_config',
'encryption_in_transit',
'access_controls',
'network_monitoring',
'regular_testing'
]
},
'SOC2': {
requirements: [
'logical_access_controls',
'network_segmentation',
'encryption',
'monitoring_logging',
'incident_response'
]
},
'ISO27001': {
requirements: [
'network_access_control',
'network_security_management',
'network_segregation',
'cryptographic_controls'
]
}
};
this.auditLog = [];
this.complianceStatus = new Map();
}
// Automated compliance checking
performComplianceCheck(standard) {
const requirements = this.complianceStandards[standard]?.requirements || [];
const results = {};
requirements.forEach(requirement => {
results[requirement] = this.checkRequirement(requirement);
});
const overallCompliance = this.calculateComplianceScore(results);
this.complianceStatus.set(standard, {
timestamp: new Date(),
results,
score: overallCompliance,
status: overallCompliance >= 0.95 ? 'compliant' : 'non-compliant'
});
return this.complianceStatus.get(standard);
}
// Generate compliance reports
generateComplianceReport(standard, format = 'json') {
const compliance = this.complianceStatus.get(standard);
if (!compliance) {
throw new Error(`No compliance data available for ${standard}`);
}
const report = {
standard,
assessmentDate: compliance.timestamp,
overallScore: compliance.score,
status: compliance.status,
requirements: compliance.results,
recommendations: this.generateRecommendations(compliance.results),
nextAssessment: this.calculateNextAssessmentDate()
};
if (format === 'pdf') {
return this.generatePDFReport(report);
}
return report;
}
checkRequirement(requirement) {
// Implementation would check actual system configuration
// This is a simplified example
const checks = {
secure_network_config: () => this.checkNetworkConfiguration(),
encryption_in_transit: () => this.checkEncryptionInTransit(),
access_controls: () => this.checkAccessControls(),
network_monitoring: () => this.checkNetworkMonitoring(),
network_segmentation: () => this.checkNetworkSegmentation()
};
const checkFunction = checks[requirement];
return checkFunction ? checkFunction() : { status: 'unknown', details: 'Check not implemented' };
}
checkNetworkConfiguration() {
// Verify firewall rules, port configurations, etc.
return {
status: 'compliant',
details: 'Network configuration meets security requirements',
evidence: 'Firewall rules audit completed'
};
}
checkEncryptionInTransit() {
// Verify TLS configuration, cipher suites, etc.
return {
status: 'compliant',
details: 'All communications encrypted with TLS 1.2+',
evidence: 'TLS configuration scan completed'
};
}
}
π Network Security Checklist
- β Configure strong TLS/SSL with modern cipher suites
- β Implement comprehensive firewall rules (deny by default)
- β Set up network segmentation and micro-segmentation
- β Deploy DDoS protection and rate limiting
- β Configure intrusion detection/prevention systems
- β Implement zero-trust network architecture
- β Set up real-time network monitoring
- β Configure geo-blocking for high-risk regions
- β Implement network access control (NAC)
- β Regular security audits and penetration testing
- β Monitor and log all network activities
- β Maintain compliance with industry standards
π» Secure Coding Practices
π οΈ Secure Development Fundamentals
Implementing secure coding practices from the ground up prevents many common vulnerabilities and creates a strong security foundation.
π Secrets Management
const AWS = require('aws-sdk');
const secretsManager = new AWS.SecretsManager({
region: process.env.AWS_REGION
});
const getSecret = async (secretName) => {
try {
const result = await secretsManager.getSecretValue({
SecretId: secretName
}).promise();
return JSON.parse(result.SecretString);
} catch (error) {
throw new Error(`Failed to retrieve secret: ${error.message}`);
}
};
// Environment validation
const requiredEnvVars = [
'DATABASE_URL',
'JWT_SECRET',
'AUTH0_DOMAIN',
'REDIS_URL'
];
requiredEnvVars.forEach(envVar => {
if (!process.env[envVar]) {
throw new Error(`Required environment variable ${envVar} is missing`);
}
});
β οΈ Error Handling
// Secure error handling
class AppError extends Error {
constructor(message, statusCode) {
super(message);
this.statusCode = statusCode;
this.isOperational = true;
Error.captureStackTrace(this, this.constructor);
}
}
// Global error handler
const globalErrorHandler = (err, req, res, next) => {
err.statusCode = err.statusCode || 500;
if (process.env.NODE_ENV === 'production') {
res.status(err.statusCode).json({
status: 'error',
message: err.isOperational ? err.message : 'Something went wrong'
});
} else {
res.status(err.statusCode).json({
status: 'error',
message: err.message,
stack: err.stack
});
}
};
app.use(globalErrorHandler);
π Security Testing
π§ͺ Automated Security Testing
// Security test example using Jest
const request = require('supertest');
const app = require('../app');
describe('Security Tests', () => {
test('should reject requests without authentication', async () => {
const response = await request(app)
.get('/api/protected-route')
.expect(401);
expect(response.body.error).toContain('unauthorized');
});
test('should prevent SQL injection', async () => {
const maliciousInput = "'; DROP TABLE users; --";
const response = await request(app)
.post('/api/users')
.send({ name: maliciousInput })
.expect(400);
expect(response.body.error).toContain('Validation failed');
});
test('should enforce rate limiting', async () => {
const requests = Array(10).fill().map(() =>
request(app).post('/api/auth/login')
);
const responses = await Promise.all(requests);
const rateLimitedResponses = responses.filter(r => r.status === 429);
expect(rateLimitedResponses.length).toBeGreaterThan(0);
});
});
π Security Checklist
π Authentication & Authorization (Auth0)
- β Configure custom domain for branding and security
- β Enable attack protection (brute force, anomaly detection)
- β Implement comprehensive RBAC with permissions
- β Configure multi-factor authentication (MFA)
- β Set up security monitoring and alerting
- β Configure appropriate token lifetimes
- β Implement proper session management
- β Set up compliance features (GDPR, etc.)
π‘οΈ API Security
- β Use HTTPS/TLS for all communications
- β Validate and sanitize all inputs
- β Implement rate limiting and DDoS protection
- β Use parameterized queries to prevent SQL injection
- β Implement comprehensive logging and monitoring
- β Add security headers to all responses
- β Implement proper CORS configuration
π Network Security
- β Configure firewalls and intrusion detection
- β Use VPNs for secure remote access
- β Regular security audits and penetration testing
- β Network segmentation and access controls
- β Monitor network traffic for anomalies
π» Secure Coding
- β Store secrets securely (not in code)
- β Keep dependencies updated
- β Use security headers (CSP, HSTS, etc.)
- β Implement proper error handling
- β Regular code security reviews
- β Follow OWASP security guidelines
π― Conclusion
Security is not a one-time implementation but an ongoing process. With Auth0 providing enterprise-grade identity management, combined with robust API security, network hardening, and secure coding practices, you can build applications that are resilient against modern security threats.
Remember: Security is everyone's responsibility in the development team, and Auth0 provides the tools and infrastructure to implement enterprise-grade security without the complexity of building it from scratch.