| name | NestJS Security |
| description | Authentication, RBAC, and Hardening standards. |
| metadata | [object Object] |
NestJS Security Standards
Priority: P0 (CRITICAL)
Authentication (JWT)
- Strategy: Use
@nestjs/passportwithpassport-jwt. - Algorithm: Enforce
RS256(preferred) orHS256. Rejectnone. - Claims: Validate
issandaud. - Tokens: Short access (15m), Long httponly refresh (7d).
- MFA: Require 2FA for admin panels.
Authorization (RBAC)
- Deny by default: Bind
AuthGuardglobally (APP_GUARD). - Bypass: Create
@Public()decorator for open routes. - Roles: Use
Reflector.getAllAndOverridefor Method/Class merge.
Cryptography
- Hashing: Use Argon2id, not Bcrypt. See implementation.
- Encryption: Use AES-256-GCM with KMS rotation. See implementation.
Hardening
- Helmet: Mandatory. Enable HSTS, CSP.
- CORS: Explicit origins only. No
*. - Throttling: Use Redis-backed
@nestjs/throttlerin production. - CSRF: Required for cookie-based auth. See implementation.
Data Protection
- Sanitization: Use
ClassSerializerInterceptor+@Exclude(). - Validation:
ValidationPipe({ whitelist: true })to prevent mass assignment. - Audit: Log mutations (Who, What, When). See implementation.
Secrets Management
- CI/CD: Run
npm audit --prodin pipelines. - Runtime: Inject via vault (AWS Secrets Manager / HashiCorp Vault), not
.env.
Anti-Patterns
- No Shadow APIs: Audit routes regularly; disable
/docsin production. - No SSRF: Allowlist domains for all outgoing HTTP requests.
- No SQLi: Use ORM; avoid raw
query()with string concatenation. - No XSS: Sanitize HTML input with
dompurify.
Related Topics
common/security-standards | architecture | database