docs(): add security category

Author: kamilmysliwiec

content/techniques/authentication.md renamed to content/security/authentication.md

@@ -0,0 +1,22 @@
+### CORS
+
+Cross-origin resource sharing (CORS) is a mechanism that allows resources to be requested from another domain. Under the hood, Nest makes use of the Express [cors](https://github.com/expressjs/cors) package. This package provides various options that you can customize based on your requirements.
+
+#### Getting started
+
+To enable CORS, call the `enableCors()` method on the Nest application object.
+
+```typescript
+const app = await NestFactory.create(AppModule);
+app.enableCors();
+await app.listen(3000);
+```
+
+The `enableCors()` method takes an optional configuration object argument. The available properties of this object are described in the official [CORS](https://github.com/expressjs/cors#configuration-options) documentation.
+
+Alternatively, enable CORS via the `create()` method's options object. Set the `cors` property to `true` to enable CORS with default settings. Alternatively, pass a [CORS configuration object](https://github.com/expressjs/cors#configuration-options) as the `cors` property value to customize its behavior.
+
+```typescript
+const app = await NestFactory.create(AppModule, { cors: true });
+await app.listen(3000);
+```

content/security/cors.md

@@ -0,0 +1,37 @@
+### CSRF Protection
+
+Cross-site request forgery (also known as CSRF or XSRF) is a type of malicious exploit of a website where **unauthorized** commands are transmitted from a user that the web application trusts. To mitigate this kind of attack you can use the [csurf](https://github.com/expressjs/csurf) package.
+
+#### Use with Express (default)
+
+Start by installing the required package:
+
+```bash
+$ npm i --save csurf
+```
+
+> warning **Warning** As explained on the [csurf middleware page](https://github.com/expressjs/csurf#csurf), the csurf module requires either session middleware or a cookie-parser to be initialized first. Please see that documentation for further instructions.
+
+Once the installation is complete, apply the csurf middleware as global middleware.
+
+```typescript
+import * as csurf from 'csurf';
+// somewhere in your initialization file
+app.use(csurf());
+```
+
+#### Use with Fastify
+
+Start by installing the required package:
+
+```bash
+$ npm i --save fastify-csrf
+```
+
+Once the installation is complete, register the `fastify-csrf` pluign, as follows:
+
+```typescript
+import fastifyCsrf from 'fastify-csrf';
+// somewhere in your initialization file
+app.register(fastifyCsrf);
+```

content/security/csrf.md

@@ -0,0 +1,73 @@
+### Encryption and Hashing
+
+**Encryption** is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor. Encryption is a two-way function; what is encrypted can be decrypted with the proper key.
+
+**Hashing** is the process of converting a given key into another value. A hash function is used to generate the new value according to a mathematical algorithm. Once hashing has been done, it should be impossible to go from the output to the input.
+
+#### Encryption
+
+Node.js provides a built-in [crypto module](https://nodejs.org/api/crypto.html) that you can use to encrypt and decrypt strings, numbers, buffers, streams, and more. Nest itself does not provide any additional package on top of this module to avoid introducing unnecessary abstractions.
+
+As an example, let's use AES (Advanced Encryption System) `'aes-256-ctr'` algorithm CTR encryption mode.
+
+```typescript
+import { createCipheriv, randomBytes } from 'crypto';
+
+const iv = randomBytes(16);
+const cipher = createCipheriv('aes-256-ctr', 'secretKey', iv);
+
+const textToEncrypt = 'Nest';
+const encryptedText = Buffer.concat([
+  cipher.update(textToEncrypt),
+  cipher.final(),
+]);
+```
+
+Now to decrypt `encryptedText` value:
+
+```typescript
+import { createDecipheriv } from 'crypto';
+
+const decipher = createDecipheriv('aes-256-ctr', 'secretKey', iv);
+const decryptedText = Buffer.concat([
+  decipher.update(encryptedText),
+  decipher.final(),
+]);
+```
+
+#### Hashing
+
+For hashing, we recommed using either the [bcrypt](https://www.npmjs.com/package/bcrypt) or [argon2](https://www.npmjs.com/package/argon2) packages. Nest itself does not provide any additional wrappers on top of these modules to avoid introducing unnecessary abstractions (making the learning curve short).
+
+As an example, let's use `bcrypt` to hash a random pasword.
+
+First install required packages:
+
+```shell
+$ npm i bcrypt
+$ npm i -D @types/bcrypt
+```
+
+Once the installation is complete, you can use the `hash` function, as follows:
+
+```typescript
+import * as bcrypt from 'bcrypt';
+
+const saltOrRounds = 10;
+const password = 'random_password';
+const hash = await bcrypt.hash(password, saltOrRounds);
+```
+
+To generate a salt, use the `genSalt` function:
+
+```typescript
+const salt = await bcrypt.genSalt();
+```
+
+To compare/check a password, use the `compare` function:
+
+```typescript
+const isMatch = await bcrypt.compare(password, hash);
+```
+
+You can read more about available functions [here](https://www.npmjs.com/package/bcrypt).

content/security/encryption-hashing.md

@@ -0,0 +1,37 @@
+### Helmet
+
+[Helmet](https://github.com/helmetjs/helmet) can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately. Generally, Helmet is just a collection of 14 smaller middleware functions that set security-related HTTP headers (read [more](https://github.com/helmetjs/helmet#how-it-works)).
+
+> info **Hint** Note that applying `helmet` as global or registering it must come before other calls to `app.use()` or setup functions that may call `app.use()`). This is due to the way the underlying platform (i.e., Express or Fastify) works, where the order that middleware/routes are defined matters. If you use middleware like `helmet` or `cors` after you define a route, then that middleware will not apply to that route, it will only apply to middleware defined after the route.
+
+#### Use with Express (default)
+
+Start by installing the required package.
+
+```bash
+$ npm i --save helmet
+```
+
+Once the installation is complete, apply it as a global middleware.
+
+```typescript
+import * as helmet from 'helmet';
+// somewhere in your initialization file
+app.use(helmet());
+```
+
+#### Use with Fastify
+
+If you are using the `FastifyAdapter`, install the [fastify-helmet](https://github.com/fastify/fastify-helmet) package:
+
+```bash
+$ npm i --save fastify-helmet
+```
+
+[fastify-helmet](https://github.com/fastify/fastify-helmet) should not be used as a middleware, but as a [Fastify plugin](https://www.fastify.io/docs/latest/Plugins/), i.e., by using `app.register()`:
+
+```typescript
+import * as helmet from 'fastify-helmet';
+// somewhere in your initialization file
+app.register(helmet);
+```

content/security/helmet.md

@@ -0,0 +1,34 @@
+### Rate limiting
+
+A common technique to protect applications from brute-force attacks is **rate-limiting**. Many Express packages exist to provide a rate-limiting feature. A popular one is [express-rate-limit](https://github.com/nfriedly/express-rate-limit).
+
+#### Getting started
+
+Start by installing the required package:
+
+```bash
+$ npm i --save express-rate-limit
+```
+
+Once the installation is complete, apply the rate-limiter as global middleware.
+
+```typescript
+import * as rateLimit from 'express-rate-limit';
+// somewhere in your initialization file
+app.use(
+  rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100, // limit each IP to 100 requests per windowMs
+  }),
+);
+```
+
+When there is a load balancer or reverse proxy between the server and the internet, Express may need to be configured to trust the headers set by the proxy in order to get the correct IP for the end user. To do so, first use the `NestExpressApplication` platform [interface](https://docs.nestjs.com/first-steps#platform) when creating your `app` instance, then enable the [trust proxy](https://expressjs.com/en/guide/behind-proxies.html) setting:
+
+```typescript
+const app = await NestFactory.create<NestExpressApplication>(AppModule);
+// see https://expressjs.com/en/guide/behind-proxies.html
+app.set('trust proxy', 1);
+```
+
+> info **Hint** If you use the `FastifyAdapter`, use the [fastify-rate-limit](https://github.com/fastify/fastify-rate-limit) package instead.

content/security/rate-limiting.md

@@ -140,6 +140,13 @@ const routes: Routes = [
             (m) => m.TechniquesModule,
           ),
       },
+      {
+        path: 'security',
+        loadChildren: () =>
+          import('./homepage/pages/security/security.module').then(
+            (m) => m.SecurityModule,
+          ),
+      },
       {
         path: 'graphql',
         loadChildren: () =>

content/techniques/security.md

@@ -82,18 +82,17 @@ export class MenuComponent implements OnInit {
       title: 'Techniques',
       isOpened: false,
       children: [
-        { title: 'Authentication', path: '/techniques/authentication' },
         { title: 'Database', path: '/techniques/database' },
         { title: 'Mongo', path: '/techniques/mongodb' },
         { title: 'Configuration', path: '/techniques/configuration' },
         { title: 'Validation', path: '/techniques/validation' },
         { title: 'Caching', path: '/techniques/caching' },
         { title: 'Serialization', path: '/techniques/serialization' },
         { title: 'Task scheduling', path: '/techniques/task-scheduling' },
-        { title: 'Security', path: '/techniques/security' },
         { title: 'Queues', path: '/techniques/queues' },
-        { title: 'Logger', path: '/techniques/logger' },
+        { title: 'Logging', path: '/techniques/logger' },
         { title: 'Cookies', path: '/techniques/cookies' },
+        // { title: 'Events', path: '/techniques/#' },
         { title: 'Compression', path: '/techniques/compression' },
         { title: 'File upload', path: '/techniques/file-upload' },
         { title: 'HTTP module', path: '/techniques/http-module' },
@@ -102,6 +101,21 @@ export class MenuComponent implements OnInit {
         { title: 'Server-Sent Events', path: '/techniques/server-sent-events' },
       ],
     },
+    {
+      title: 'Security',
+      isOpened: false,
+      children: [
+        { title: 'Authentication', path: '/security/authentication' },
+        {
+          title: 'Encryption and Hashing',
+          path: '/security/encryption-and-hashing',
+        },
+        { title: 'Helmet', path: '/security/helmet' },
+        { title: 'CORS', path: '/security/cors' },
+        { title: 'CSRF Protection', path: '/security/csrf' },
+        { title: 'Rate limiting', path: '/security/rate-limiting' },
+      ],
+    },
     {
       title: 'GraphQL',
       isOpened: false,
@@ -201,12 +215,12 @@ export class MenuComponent implements OnInit {
         { title: 'TypeORM', path: '/recipes/sql-typeorm' },
         { title: 'Mongoose', path: '/recipes/mongodb' },
         { title: 'Sequelize', path: '/recipes/sql-sequelize' },
+        { title: 'CRUD generator', path: '/recipes/crud-generator' },
+        { title: 'Health checks (Terminus)', path: '/recipes/terminus' },
+        { title: 'Documentation', path: '/recipes/documentation' },
         { title: 'OpenAPI (Swagger)', path: '/recipes/swagger' },
         { title: 'CQRS', path: '/recipes/cqrs' },
         { title: 'Prisma', path: '/recipes/prisma' },
-        { title: 'Health checks (Terminus)', path: '/recipes/terminus' },
-        { title: 'Documentation', path: '/recipes/documentation' },
-        { title: 'CRUD generator', path: '/recipes/crud-generator' },
         { title: 'Hot reload', path: '/recipes/hot-reload' },
         { title: 'Serve static', path: '/recipes/serve-static' },
       ],