Implement comprehensive security middleware to protect against XSS, brute force, and other vulnerabilities

[Copilot]

This PR implements a comprehensive security framework to protect the ChatSphere Backend application against the most common web vulnerabilities including XSS attacks, brute force attacks, NoSQL injection, and denial of service attacks.

🔒 Security Features Implemented

Rate Limiting Protection

• Authentication endpoints: Limited to 5 requests per 15 minutes per IP to prevent brute force attacks
• General API endpoints: Limited to 100 requests per 15 minutes per IP
• Sensitive operations: Limited to 3 requests per hour per IP
• Uses express-rate-limit middleware with proper error responses

Security Headers

Implemented comprehensive security headers using helmet middleware:

• Content Security Policy (CSP): Prevents XSS and code injection
• X-Frame-Options: Prevents clickjacking attacks
• X-Content-Type-Options: Prevents MIME type sniffing
• X-XSS-Protection: Enables browser XSS filtering
• Strict-Transport-Security: Enforces HTTPS connections

XSS Protection

• Input sanitization middleware that processes all request data (body, query parameters, URL parameters)
• Uses xss library to remove malicious scripts and HTML tags
• Automatically sanitizes user inputs before they reach controllers

Database Security

• NoSQL Injection Protection: Uses express-mongo-sanitize to remove prohibited characters like $ and .
• HTTP Parameter Pollution Protection: Uses hpp middleware to prevent duplicate parameter attacks

Login Security

• Account Lockout Mechanism: Tracks failed login attempts per IP and email combination
• Temporarily locks accounts after 5 failed attempts within 15 minutes
• Automatically unlocks accounts after the lockout period expires
• Clears failed attempts on successful login

Request Security

• Size Limits: Limited JSON and URL-encoded payloads to 10MB to prevent DoS attacks
• Trust Proxy Configuration: Ensures correct IP address identification behind reverse proxies

Error Handling

• Improved error messages to prevent information disclosure
• Generic error responses for unexpected errors while maintaining debugging capability
• Proper logging for security events

Dependency Security

• Updated multer to latest version to address CVE-2022-24434
• Installed latest versions of all security middleware packages

🛡️ Vulnerabilities Addressed

This implementation protects against:

• Cross-Site Scripting (XSS) attacks
• Brute force login attacks
• NoSQL injection attacks
• HTTP Parameter Pollution
• Denial of Service (DoS) attacks
• Clickjacking attacks
• MIME type sniffing
• Information disclosure through error messages
• Known vulnerabilities in dependencies

🧪 Testing & Documentation

• Added comprehensive security test suite (tests/security.test.js)
• Created manual security testing script (scripts/test-security.js)
• Added detailed security documentation (docs/SECURITY.md)
• All existing functionality preserved and tested

🔧 Implementation Details

The security middleware is implemented in a modular way:

• src/middlewares/security/rateLimiter.js - Rate limiting configuration
• src/middlewares/security/sanitizer.js - XSS protection and input sanitization
• src/middlewares/security/loginAttempts.js - Login attempt tracking and account lockout

Security middleware is applied globally in starter.js with specific rate limiters applied to authentication routes in src/routes/auth.js.

🚀 Usage

The security features are automatically applied to all routes. No additional configuration is required, though settings can be customized in the respective middleware files.

To test the security features manually:

# Start the server
node index.js --environment dev

# Run security tests
node scripts/test-security.js

This implementation provides enterprise-grade security while maintaining the existing API structure and functionality.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• scarf.sh
  • Triggering command: node ./report.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.