The NPCL Dashboard implements comprehensive security measures to protect against common web application vulnerabilities and attacks. This document outlines the security features and best practices implemented in the application.
Implementation: Multi-layer rate limiting with different strategies for different endpoints.
Features:
- Authentication Rate Limiting: 5 requests per 15 minutes per IP
- API Rate Limiting: 100 requests per minute per user/IP
- Report Generation: 10 requests per hour per user
- Adaptive Rate Limiting: Adjusts limits based on system load
- IP Blocking: Automatic blocking of suspicious IPs
- Whitelist/Blacklist: Manual IP management
Algorithms:
- Token Bucket (default)
- Sliding Window
- Fixed Window
- Distributed (for multiple instances)
Configuration:
// Custom rate limiting
await withCustomRateLimit(req, {
windowMs: 60 * 1000, // 1 minute
maxRequests: 50, // 50 requests
message: 'Rate limit exceeded'
})Implementation: Token-based CSRF protection with origin validation.
Features:
- Token Generation: Cryptographically secure tokens
- Origin Validation: Validates request origin and referer headers
- Session Binding: Tokens tied to user sessions
- Automatic Expiration: Configurable token TTL
- Multiple Validation Methods: Header, body, or cookie-based tokens
Usage:
// Get CSRF token
const response = await fetch('/api/csrf/token')
const { csrfToken } = await response.json()
// Include in requests
fetch('/api/protected-endpoint', {
method: 'POST',
headers: {
'X-CSRF-Token': csrfToken,
'Content-Type': 'application/json'
},
body: JSON.stringify(data)
})Configuration:
const csrfConfig = {
tokenLength: 32,
cookieName: 'csrf-token',
headerName: 'x-csrf-token',
tokenTTL: 24 * 60 * 60, // 24 hours
sameSite: 'strict',
secure: true,
trustedOrigins: ['https://yourdomain.com']
}Implementation: Multi-layer protection beyond Prisma ORM.
Features:
- Pattern Detection: 50+ SQL injection patterns
- Input Sanitization: Automatic sanitization of dangerous inputs
- Severity Classification: Low, medium, high, critical threat levels
- Real-time Monitoring: Automatic alerting on injection attempts
- Request Validation: Validates all request parameters and body
Detected Patterns:
- Classic injection (
' OR '1'='1) - Union-based injection (
UNION SELECT) - Time-based blind injection (
SLEEP,WAITFOR) - Boolean-based blind injection
- Error-based injection
- Stacked queries
- Information schema access
- Database function calls
Usage:
// Validate input
const validation = validateSQLInput(userInput, 'email')
if (!validation.isValid) {
// Handle threat
console.log('Threats detected:', validation.threats)
}
// Secure Zod schema
const secureSchema = createSecureZodSchema({
email: z.string().email(),
name: z.string().min(1)
})Implementation: Comprehensive security headers on all responses.
Headers Applied:
X-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-Protection: 1; mode=blockReferrer-Policy: strict-origin-when-cross-originContent-Security-Policy: [strict policy]Permissions-Policy: camera=(), microphone=(), geolocation=()
Content Security Policy:
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self';
frame-ancestors 'none'
Implementation: NextAuth.js with enhanced security features.
Features:
- JWT Tokens: Secure session management
- Role-Based Access Control: Admin, Operator, Viewer roles
- Session Validation: Middleware-level session checks
- Password Security: bcrypt with 12 salt rounds
- Account Lockout: Automatic lockout after failed attempts
Role Hierarchy:
- ADMIN: Full system access
- OPERATOR: Power unit management, reports
- VIEWER: Read-only access
Implementation: Zod schemas with security enhancements.
Features:
- Type Safety: TypeScript + Zod validation
- SQL Injection Protection: Built into validation schemas
- XSS Prevention: Input sanitization
- Length Limits: Prevent buffer overflow attacks
- Format Validation: Email, phone, URL validation
Example:
const secureUserSchema = createSecureZodSchema({
email: z.string().email().max(255),
password: z.string().min(8).max(128),
name: z.string().min(1).max(100)
})# CSRF Protection
CSRF_STRICT_IP=false
CSRF_TOKEN_TTL=86400
# Rate Limiting
RATE_LIMIT_AUTH_MAX=5
RATE_LIMIT_AUTH_WINDOW=900000
RATE_LIMIT_API_MAX=100
RATE_LIMIT_API_WINDOW=60000
# Security Headers
CSP_REPORT_URI=https://your-domain.com/api/csp-report
HSTS_MAX_AGE=31536000
# Monitoring
SECURITY_ALERTS_ENABLED=true
SLACK_WEBHOOK_URL=https://hooks.slack.com/...
ALERT_EMAIL_RECIPIENTS=security@your-domain.com// Apply to all API routes
export default withAuth(async function middleware(req) {
// 1. SQL Injection Prevention
// 2. Rate Limiting
// 3. CSRF Protection
// 4. Security Headers
// 5. Authentication & Authorization
})Triggers:
- SQL injection attempts
- Rate limit violations
- CSRF token violations
- Suspicious IP activity
- Authentication failures
Channels:
- Console logging
- Email notifications
- Slack integration
- Webhook endpoints
Tracked Metrics:
- Failed authentication attempts
- Rate limit violations
- SQL injection attempts
- CSRF violations
- Blocked IP addresses
Monitoring Dashboard:
// Get security statistics
const stats = {
rateLimiting: rateLimitMiddleware.getStats(),
sqlInjection: sqlInjectionPrevention.getStats(),
csrf: csrfProtection.getConfig(),
blockedIPs: rateLimitMiddleware.getStats().blockedIPs
}Run comprehensive security tests:
# Test all security features
npm run test:security
# Test specific features
npm run test:rate-limiting
npm run test:csrf
npm run test:sql-injectionRate Limiting:
# Test authentication rate limiting
for i in {1..10}; do
curl -X POST http://localhost:3000/api/auth/test-login \
-H "Content-Type: application/json" \
-d '{"email":"test@example.com","password":"wrong"}'
doneCSRF Protection:
# Test CSRF protection
curl -X POST http://localhost:3000/api/auth/test-login \
-H "Content-Type: application/json" \
-H "Origin: https://malicious-site.com" \
-d '{"email":"test@example.com","password":"test"}'SQL Injection:
# Test SQL injection prevention
curl -X POST http://localhost:3000/api/auth/test-login \
-H "Content-Type: application/json" \
-d '{"email":"admin'\''--","password":"test"}'- Always validate inputs using secure schemas
- Use parameterized queries (Prisma handles this)
- Implement proper error handling without exposing internals
- Log security events for monitoring
- Regular security testing in CI/CD pipeline
- Enable HTTPS in production
- Configure security headers properly
- Set up monitoring and alerting
- Regular security audits
- Keep dependencies updated
- Monitor failed authentication attempts
- Track rate limit violations
- Alert on SQL injection attempts
- Review security logs regularly
- Implement incident response procedures
- All security features enabled
- Security headers configured
- Rate limiting tested
- CSRF protection verified
- SQL injection prevention tested
- Authentication working properly
- Authorization rules enforced
- Security monitoring configured
- Incident response plan ready
- Security monitoring active
- Alerts configured and tested
- Regular security scans scheduled
- Log analysis automated
- Incident response tested
- Security metrics tracked
- Regular security reviews scheduled
- Identify the threat type and severity
- Block malicious IPs if necessary
- Enable emergency rate limiting if under attack
- Alert security team via configured channels
- Document the incident for analysis
// Enable emergency mode
rateLimitMiddleware.enableEmergencyMode()
// Block specific IP
rateLimitMiddleware.blockIP('192.168.1.100', 'Security incident')
// Add to blacklist
rateLimiter.addToBlacklist('ip:192.168.1.100')This security implementation is regularly updated to address new threats and vulnerabilities. Check the changelog for recent security updates and ensure your deployment includes the latest security patches.