A complete, real-world backend focused on securing a Node.js application for production and deployment.
This project demonstrates how to build a robust authentication system and protect it against common vulnerabilities.
🌐 API Base URL:
https://your-backend.onrender.com
📡 Health Check:
https://your-backend.onrender.com/api/health
This project is a hands-on implementation of modern backend security practices using:
- Node.js
- Express.js
- MongoDB
- TypeScript
The goal is to go beyond basic authentication and build a secure, production-ready backend.
- JWT-based authentication (Access + Refresh Token)
- Secure cookie handling (
httpOnly,secure,sameSite) - Token rotation & refresh flow
- Role-Based Access Control (RBAC)
- HTTP-only cookies (prevents XSS access)
- Secure cookies (HTTPS only)
- SameSite protection for cross-site requests
- CSRF token generation
- Double Submit Cookie Pattern
- Custom header validation (
x-csrf-token)
- Allowlist-based origin control
- Credentials enabled for secure cookie sharing
- Prevents unauthorized cross-origin access
- Global API rate limiting
- Strict limits on authentication endpoints
- Prevents brute-force attacks
- Schema validation using Zod
- Sanitization of user inputs
- Prevents malformed or malicious data
- Input filtering and validation
- Safe query handling in MongoDB
- Security headers using Helmet
- Disable
x-powered-by - Structured error handling
- Sensitive data stored in
.env - No secrets exposed in codebase
- Configurable production environment