セキュリティチェックリスト

// Bad: Direct use of user input
element.innerHTML = userInput;

// Good: Sanitize input before using
import { sanitize } from 'some-sanitizer-library';
element.innerHTML = sanitize(userInput);

Help me validate and sanitize inputs to protect against XSS attacks

Help me keep sensitive data out of the browser. Am I doing this correctly?

// Example of CSRF token implementation
const csrfToken = generateToken();
session.csrfToken = csrfToken;

Help me implement CSRF tokens for forms

Help me implement authentication for my application with Replit Auth

// Example authorization check
if (!user.canAccess(resource)) {
  return res.status(403).send('Access denied');
}

Help me implement authorization checks for my application

How do I properly authenticate endpoints in my app?

// Bad: String concatenation in queries
db.query(`SELECT * FROM users WHERE username = '${username}'`);

// Good: Parameterized queries with ORM
db.query('SELECT * FROM users WHERE username = ?', [username]);

<!-- In index.html or through your back-end -->
<meta http-equiv="X-Frame-Options" content="DENY">
<meta http-equiv="X-Content-Type-Options" content="nosniff">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

Can you add the security headers to my application?

npm audit

// Bad: Exposing sensitive details
catch (err) {
  res.status(500).send(`Database error: ${err.message}`);
}

// Good: Generic error message
catch (err) {
  console.error(err); // Log internally
  res.status(500).send('An error occurred');
}

Help me implement proper error handling for my application

Help me secure my cookies for my application

Help me secure my file uploads for my application

// Example rate limiting middleware
const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100 // limit each IP to 100 requests per windowMs
});

app.use('/api/', limiter);

Help me implement rate limiting for my application