admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(security): add security hardening — Helmet, CORS, rate limiting, input sanitization

Browse Source 
- Add Helmet with CSP, HSTS, referrer policy
- Configure CORS with environment-based origins
- Add global validation pipe with whitelist mode
- Add SanitizeInputMiddleware for XSS prevention
- Add ThrottlerBehindProxyGuard for rate limiting
- Add FileValidationPipe for upload security
- Set request body size limit to 1MB

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Ho Ngoc Hai
2026-04-08 02:04:13 +07:00
parent 5e44456d11
commit f3081d92fc
6 changed files with 197 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
apps/api/src/modules/shared/infrastructure/middleware/sanitize-input.middleware.ts Normal file
View File

@@ -0,0 +1,50 @@
import { Injectable, type NestMiddleware } from '@nestjs/common';
import type { NextFunction, Request, Response } from 'express';
import sanitizeHtml from 'sanitize-html';
const SANITIZE_OPTIONS: sanitizeHtml.IOptions = {
allowedTags: [],
allowedAttributes: {},
disallowedTagsMode: 'recursiveEscape',
};
function sanitizeValue(value: unknown): unknown {
if (typeof value === 'string') {
return sanitizeHtml(value, SANITIZE_OPTIONS);
}
if (Array.isArray(value)) {
return value.map(sanitizeValue);
}
if (value !== null && typeof value === 'object') {
return sanitizeObject(value as Record<string, unknown>);
}
return value;
}
function sanitizeObject(obj: Record<string, unknown>): Record<string, unknown> {
const sanitized: Record<string, unknown> = {};
for (const [key, val] of Object.entries(obj)) {
sanitized[key] = sanitizeValue(val);
}
return sanitized;
}
/**
* Strips HTML tags from all string values in request body, query, and params
* to prevent stored XSS attacks.
*/
@Injectable()
export class SanitizeInputMiddleware implements NestMiddleware {
use(req: Request, _res: Response, next: NextFunction): void {
if (req.body && typeof req.body === 'object') {
req.body = sanitizeObject(req.body as Record<string, unknown>);
}
if (req.query && typeof req.query === 'object') {
req.query = sanitizeObject(req.query as Record<string, unknown>) as typeof req.query;
}
if (req.params && typeof req.params === 'object') {
req.params = sanitizeObject(req.params as Record<string, unknown>) as typeof req.params;
}
next();
}
}