This Notepad application is designed for users to create, update, and manage personal notes. It provides an easy-to-use interface, strong user authentication, and an emphasis on security as a core feature. Users can sign up, log in, and securely store their notes, which are linked to their personal accounts.
The application uses Helmet to enhance security by setting a variety of HTTP headers that protect the app from common web vulnerabilities such as cross-site scripting (XSS), clickjacking, and other attacks.
const helmet = require('helmet');
app.use(helmet());
The app incorporates rate limiting using express-rate-limit to mitigate brute force attacks, distributed denial-of-service (DDoS) attacks, and abusive usage. This feature ensures that users can only make a certain number of requests in a defined period.
/login
to prevent brute force attacks on user accounts.User passwords are never stored in plain text. The app uses bcryptjs to securely hash passwords before storing them in the database. This ensures that even if the database is compromised, user passwords remain secure.
User sessions are managed with JWT tokens, which are securely signed using a secret key. JWT tokens are stored client-side and sent with each request to verify the user's identity.
Sensitive information such as the JWT secret, database credentials, and other configuration settings are stored securely in environment variables using dotenv. This ensures that these values are not hard-coded into the app's source code.
To ensure that only requests from allowed origins can interact with the API, the app uses the cors middleware, which helps prevent unauthorized cross-origin requests from untrusted sources.
To prevent automated bots from spamming or registering accounts, the app implements a honeypot technique. This method involves adding a hidden field in user-facing forms (such as registration and login) that normal users will not fill in, but bots might.
Users sign up with a unique email, username, and password. Passwords are hashed before being stored in the PostgreSQL database. Upon logging in, users receive a JWT token, which they can use to authenticate their session.
Each note is tied to a specific user account, ensuring that notes are only accessible to the authenticated user. Notes are stored securely in a PostgreSQL database and can be created, updated, or deleted via the app's interface.
The app places a strong emphasis on securing user data and limiting access to the API. Security features such as HTTP headers, rate limiting, password hashing, and token-based authentication are integral to the app's design.