Week 14: Hardening Web Applications

Security, Performance, and Production Readiness

NoteReading Assignment

Review this material before your final project presentation.

Overview

This week focuses on the gap between a working application and a production-ready one. “Hardening” means systematically reducing the attack surface, improving resilience, and ensuring your application can be operated, monitored, and maintained in production.

Key Concepts

• Defense in depth — security at every layer (network, transport, application, data)
• OWASP Top 10 — the most critical web application security risks
• Authentication hardening — password hashing, JWT best practices, rate limiting
• HTTP security headers — CSP, HSTS, X-Frame-Options via helmet
• Input validation — server-side validation, injection prevention (SQL, NoSQL, XSS)
• Dependency security — npm audit, lock files, automated scanning
• Infrastructure hardening — HTTPS, CORS configuration, secrets management
• Error handling — generic messages in production, structured logging
• Performance — CDN, compression, caching, connection pooling, database indexing
• Monitoring & observability — logs, metrics, traces

Hardening Checklist

Security

• All secrets in environment variables (not in code or git history)
• .env files in .gitignore
• Passwords hashed with bcrypt (cost 12+) or Argon2id
• JWT access tokens have short TTL (15 min), refresh tokens are revocable
• Every API route checks ownership (filter by userId)
• Input validated server-side (type, length, format)
• helmet() middleware enabled for security headers
• CORS configured with specific allowed origins (not *)
• npm audit shows zero critical/high vulnerabilities
• HTTPS enabled (automatic on Vercel/CloudFront)
• Rate limiting on authentication endpoints

Reliability & Performance

• Error handler returns generic messages in production
• Timeouts on all external calls (DB, APIs, Redis)
• Health check endpoint (/api/health)
• Database connection pooling / caching (especially for Lambda)
• Lock file committed (package-lock.json)
• npm ci used in CI/CD (not npm install)
• Compression middleware enabled
• Static assets served via CDN
• Structured JSON logging (no sensitive data in logs)

Further Reading

OWASP & Security

• OWASP Top 10 (2021)
• OWASP Cheat Sheet Series
• OWASP Authentication Cheat Sheet
• OWASP Authorization Cheat Sheet
• OWASP Input Validation Cheat Sheet

HTTP Security Headers

• Helmet.js Documentation
• SecurityHeaders.com — scan your deployed app
• MDN Content Security Policy

Authentication & Secrets

• WorkOS — OAuth and JWT Best Practices
• Google OAuth 2.0 Best Practices
• NIST Password Guidelines

Dependency Security

• npm audit Documentation
• Snyk — Open Source Security
• Socket.dev — Supply Chain Security
• GitHub Dependabot

Rate Limiting

• Express Rate Limit — middleware for Express apps
• rate-limit-redis — Redis-backed store for distributed rate limiting
• Understanding Rate Limiting Algorithms (Cloudflare) — fixed window, sliding window, token bucket, leaky bucket
• AWS API Gateway Throttling — platform-level rate limiting
• IETF RateLimit Header Fields (RFC 9110) — X-RateLimit-* and Retry-After headers

Performance & Monitoring

• web.dev Performance
• Lighthouse Documentation
• Pino Logger — fast structured logging for Node.js
• Express Validator

SSL/TLS

• SSL Labs Server Test — test your TLS configuration
• Let’s Encrypt — free TLS certificates