fix(security): add helmet and express-mongo-sanitize global middleware#108
Conversation
…ware
The app relied entirely on per-handler validation to stay safe from
NoSQL operator injection, with no centralized safety net and no HTTP
security headers.
- Add helmet() early in the middleware chain to set secure response
headers (X-Content-Type-Options, X-Frame-Options, HSTS, etc.).
- Add express-mongo-sanitize() after body parsing to strip keys
containing $ or . from req.body, req.params and req.query, so an
operator-shaped payload like { "email": { "$gt": "" } } can never
reach a query as an operator object, regardless of the handler.
Both run before the routes, providing defense-in-depth without changing
any existing auth or notes CRUD behavior.
Closes niharika-mente#79
|
Warning Review limit reached
Next review available in: 26 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Overview
Adds centralized defense-in-depth middleware to
backend/src/server.js. The apppreviously relied solely on per-handler validation to stay safe from NoSQL
(operator) injection, with no global safety net and no HTTP security headers.
Closes #79
Changes
helmet()— registered early in the middleware chain to set secure HTTPresponse headers (
X-Content-Type-Options: nosniff,X-Frame-Options, HSTS, etc.).express-mongo-sanitize()— registered after body parsing to strip keyscontaining
$or.fromreq.body,req.params, andreq.query, so anoperator-shaped payload can never reach a Mongo query as an operator object —
regardless of whether the individual handler validates.
Both run before the routes. The change is purely additive:
mongo-sanitizeonly removes
$/.-prefixed keys, which legitimate auth and notes payloads neveruse, so existing behavior is unchanged.
Express here is v4, so the known
express-mongo-sanitizeread-onlyreq.querycrash (Express 5) does not apply.
Acceptance criteria
helmetandexpress-mongo-sanitizeadded and registered before routes.{ "email": { "$gt": "" } }is sanitized and cannot reach a query as an operator object.Testing
Ran the exact middleware chain (
helmet→express.json→express-mongo-sanitize)against a live request:
{ email: { $gt: "" }, name: "ok", nested: { "$where": "...", safe: 1 } }→
{ email: {}, name: "ok", nested: { safe: 1 } }— operator keys stripped atevery level, legitimate fields preserved.
?filter[$gt]=→{ filter: {} }.x-content-type-options: nosniffandx-frame-options: SAMEORIGINfrom helmet.