Security

STX provides comprehensive security features to help you build secure applications by default. This page covers all security capabilities and best practices in the STX ecosystem.

Built-in Security Features

Cross-Site Scripting (XSS) Prevention

STX automatically escapes output by default:

html

<!-- Safe: automatically escaped -->
<div>{{ userInput }}</div>

<!-- Raw HTML: use with caution -->
<div>&#123;&#123;&#123; trustedHtml &#125;&#125;&#125;</div>

CSRF Protection

Built-in CSRF token generation and validation:

typescript

// Automatic CSRF protection
app.use(csrf({
  cookie: {
    httpOnly: true,
    secure: true,
    sameSite: 'strict'
  }
}))

Content Security Policy

Configure CSP headers:

typescript

app.use(csp({
  directives: {
    defaultSrc: ["'self'"],
    styleSrc: ["'self'", "'unsafe-inline'"],
    scriptSrc: ["'self'", "'nonce-{random}'"],
    imgSrc: ["'self'", "data:", "https:"]
  }
}))

Authentication & Authorization

Authentication Middleware

typescript

import { auth } from '@stx/auth'

// Route protection
app.use('/dashboard', auth.requireAuth())

// Role-based access
app.use('/admin', auth.requireRole('admin'))

Session Security

typescript

// Secure session configuration
app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
    secure: true,
    httpOnly: true,
    maxAge: 24 * 60 * 60 * 1000, // 24 hours
    sameSite: 'strict'
  },
  rolling: true
}))

JWT Security

typescript

import { jwt } from '@stx/auth'

// Secure JWT configuration
const jwtConfig = {
  algorithm: 'HS256',
  expiresIn: '15m',
  issuer: 'stx-app',
  audience: 'stx-users'
}

// Token validation
app.use(jwt.verify(jwtConfig))

Input Validation & Sanitization

Form Validation

typescript

import { validate } from '@stx/validation'

const userSchema = {
  email: 'email|required',
  password: 'string|min:8|required',
  name: 'string|max:100|required'
}

app.post('/users', validate(userSchema), (req, res) => {
  // Validated data is safe to use
  const { email, password, name } = req.validated
})

SQL Injection Prevention

typescript

// Parameterized queries (safe)
const user = await db.query(
  'SELECT * FROM users WHERE email = ?',
  [email]
)

// ORM usage (safe)
const user = await User.where('email', email).first()

File Upload Security

typescript

import { upload } from '@stx/upload'

app.post('/upload', upload({
  allowedTypes: ['image/jpeg', 'image/png'],
  maxSize: 5 * 1024 * 1024, // 5MB
  sanitizeFilename: true,
  virusScan: true
}))

Security Headers

Comprehensive Header Setup

typescript

app.use(helmet({
  // XSS Protection
  xssFilter: true,
  
  // Content Type Options
  noSniff: true,
  
  // Frame Options
  frameguard: { action: 'deny' },
  
  // HSTS
  hsts: {
    maxAge: 31536000,
    includeSubDomains: true,
    preload: true
  },
  
  // Referrer Policy
  referrerPolicy: 'strict-origin-when-cross-origin'
}))

Encryption & Hashing

Password Hashing

typescript

import { hash, verify } from '@stx/crypto'

// Hash password
const hashedPassword = await hash.password(plainPassword, {
  algorithm: 'argon2id',
  memoryCost: 65536,
  timeCost: 3,
  parallelism: 4
})

// Verify password
const isValid = await verify.password(plainPassword, hashedPassword)

Data Encryption

typescript

import { encrypt, decrypt } from '@stx/crypto'

// Encrypt sensitive data
const encrypted = await encrypt(sensitiveData, {
  algorithm: 'aes-256-gcm',
  key: process.env.ENCRYPTION_KEY
})

// Decrypt data
const decrypted = await decrypt(encrypted, {
  key: process.env.ENCRYPTION_KEY
})

Rate Limiting

Request Rate Limiting

typescript

import { rateLimit } from '@stx/security'

// Global rate limiting
app.use(rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP'
}))

// API-specific rate limiting
app.use('/api', rateLimit({
  windowMs: 1 * 60 * 1000, // 1 minute
  max: 10 // 10 requests per minute
}))

Brute Force Protection

typescript

import { bruteForce } from '@stx/security'

app.post('/login', bruteForce.protect(), async (req, res) => {
  // Login logic with automatic brute force protection
})

Security Monitoring

Security Event Logging

typescript

import { securityLogger } from '@stx/logging'

// Log security events
securityLogger.warn('Failed login attempt', {
  ip: req.ip,
  userAgent: req.get('User-Agent'),
  email: req.body.email
})

// Log successful authentication
securityLogger.info('User authenticated', {
  userId: user.id,
  ip: req.ip
})

Intrusion Detection

typescript

import { ids } from '@stx/security'

// Configure intrusion detection
app.use(ids({
  enabled: true,
  rules: [
    'detect_sql_injection',
    'detect_xss_attempts',
    'detect_path_traversal'
  ],
  onDetection: (threat) => {
    securityLogger.alert('Security threat detected', threat)
  }
}))

Security Testing

Automated Security Scans

bash

# Run security audit
bun audit

# Run SAST (Static Application Security Testing)
bun run security:scan

# Run dependency vulnerability check
bun run security:deps

Penetration Testing

typescript

// Security test suite
import { securityTest } from '@stx/testing'

securityTest('XSS protection', () => {
  const maliciousInput = '<script>alert("xss")</script>'
  const result = render(template, { input: maliciousInput })
  expect(result).not.toContain('<script>')
})

securityTest('CSRF protection', async () => {
  const response = await request(app)
    .post('/api/users')
    .send({ name: 'Test' })
    
  expect(response.status).toBe(403) // CSRF token missing
})

Compliance & Standards

OWASP Top 10 Protection

STX addresses the OWASP Top 10 security risks:

Injection: Parameterized queries and input validation
Broken Authentication: Secure session management
Sensitive Data Exposure: Built-in encryption utilities
XML External Entities: Safe XML parsing
Broken Access Control: Role-based authorization
Security Misconfiguration: Secure defaults
Cross-Site Scripting: Automatic output escaping
Insecure Deserialization: Safe serialization practices
Known Vulnerabilities: Automated dependency scanning
Insufficient Logging: Comprehensive security logging

Data Protection Compliance

typescript

// GDPR compliance helpers
import { gdpr } from '@stx/compliance'

// Data anonymization
const anonymized = gdpr.anonymize(userData)

// Right to be forgotten
await gdpr.deleteUserData(userId)

// Data export
const exportData = gdpr.exportUserData(userId)

Security Guide - Comprehensive security guide
Component API - Component authentication patterns
Deployment Guide - Secure deployment practices
Testing Guide - Security testing strategies

Security ​

Built-in Security Features ​

Cross-Site Scripting (XSS) Prevention ​

CSRF Protection ​

Content Security Policy ​

Authentication & Authorization ​

Authentication Middleware ​

Session Security ​

JWT Security ​

Input Validation & Sanitization ​

Form Validation ​

SQL Injection Prevention ​

File Upload Security ​

Security Headers ​

Comprehensive Header Setup ​

Encryption & Hashing ​

Password Hashing ​

Data Encryption ​

Rate Limiting ​

Request Rate Limiting ​

Brute Force Protection ​

Security Monitoring ​

Security Event Logging ​

Intrusion Detection ​

Security Testing ​

Automated Security Scans ​

Penetration Testing ​

Compliance & Standards ​

OWASP Top 10 Protection ​

Data Protection Compliance ​

Related Resources ​

Security

Built-in Security Features

Cross-Site Scripting (XSS) Prevention

CSRF Protection

Content Security Policy

Authentication & Authorization

Authentication Middleware

Session Security

JWT Security

Input Validation & Sanitization

Form Validation

SQL Injection Prevention

File Upload Security

Security Headers

Comprehensive Header Setup

Encryption & Hashing

Password Hashing

Data Encryption

Rate Limiting

Request Rate Limiting

Brute Force Protection

Security Monitoring

Security Event Logging

Intrusion Detection

Security Testing

Automated Security Scans

Penetration Testing

Compliance & Standards

OWASP Top 10 Protection

Data Protection Compliance

Related Resources