[Feature]: Add rate limiting and security headers to backend API

[04shubham7]

So, what is it about?

Implement centralized logging of requests and error handling middleware; use a structured logger like Winston or Pino.Protect APIs from brute-force and injection attacks by adding rate limiting, Helmet middleware for security headers.

Code of Conduct

• I agree to follow this project's Code of Conduct

[harshthakur3]

assign me this

[04shubham7]

assign me this

https://discord.com/channels/1415383312134045726/1426947255037988968/1427591357672853504

[harshthakur3]

📋 My Approach:

Phase 1: Centralized Logging Setup

1. Install Dependencies:

   npm install winston morgan

2. Create Logger Configuration (src/config/logger.js):

   • Set up Winston with multiple transports (console, file)
   • Configure log levels (error, warn, info, debug)
   • Add timestamp and JSON formatting
   • Create separate files for error logs and combined logs

3. Request Logging Middleware (src/middleware/requestLogger.js):

   • Integrate Morgan with Winston
   • Log HTTP requests (method, URL, status, response time)
   • Sanitize sensitive data (passwords, tokens) from logs
   • Track user IDs for authenticated requests

Phase 2: Error Handling Middleware

1. Create Error Classes (src/middleware/errorHandler.js):

   • Custom error classes: ValidationError, NotFoundError, UnauthorizedError
   • Async handler wrapper to catch promise rejections

2. Global Error Handler:

   • Centralized error handling for all routes
   • Log errors with full context (method, path, user, stack trace)
   • Send appropriate error responses
   • Handle common errors (Mongoose, JWT, validation)

Phase 3: Security Implementation

1. Install Security Packages:

   npm install helmet express-rate-limit express-mongo-sanitize xss-clean hpp cors

2. Security Middleware (src/middleware/security.js):

   • Helmet: Add security headers (XSS, HSTS, noSniff, etc.)
   • Rate Limiting:
     • General API: 100 requests per 15 minutes
     • Auth routes: 5 attempts per 15 minutes (stricter for login/register)
   • NoSQL Injection Protection: Sanitize user input
   • XSS Protection: Clean malicious scripts
   • CORS: Configure allowed origins

3. Apply Middleware in app.js:

   • Add security middleware before routes
   • Apply general rate limiter to /api/*
   • Apply strict limiter to /api/auth/*
   • Add request logger
   • Add error handler at the end

Phase 4: Testing & Documentation

1. Test rate limiting with multiple requests
2. Verify logs are being written correctly
3. Test error handling with various scenarios
4. Update .env.example with new configuration options
5. Add README section explaining logging and security setup

📁 File Structure:

src/
├── config/
│   └── logger.js              # Winston configuration
├── middleware/
│   ├── errorHandler.js        # Error handling & custom errors
│   ├── security.js            # Rate limiting & Helmet
│   └── requestLogger.js       # Request logging
├── app.js                     # Apply all middleware
└── .env.example               # Add security configs

⏱️ Estimated Timeline:

• Day 1-2: Logger setup + request logging
• Day 3: Error handling middleware
• Day 4-5: Security middleware (rate limiting, Helmet, sanitization)
• Day 6: Testing & documentation

✅ Deliverables:

• ✅ Production-ready Winston logger with file rotation
• ✅ Comprehensive error handling with custom error classes
• ✅ Rate limiting for all API routes (adjustable per route)
• ✅ Complete security headers via Helmet
• ✅ Protection against NoSQL injection, XSS, and brute-force attacks
• ✅ Clean, documented, and maintainable code
• ✅ Configuration examples and setup instructions

💪 My Experience:

I have experience with Node.js/Express middleware, security best practices, and have implemented similar logging/security systems in previous projects. I'm familiar with Winston, Helmet, and rate-limiting strategies.

Please assign this issue to me. I'm ready to start immediately and will keep you updated with progress!

---

Code of Conduct:

• I agree to follow this project's Code of Conduct

---

This approach is straightforward, well-structured, and shows you understand the requirements. Feel free to adjust based on your actual experience level!

[04shubham7]

ok i will assign you once all the predecessor issues get resolved as all the issues are interdependent.