Boilerplate application for Node.js with express, sucrase, sequelize, authenticated REST API, and implementing security best practices.

    git clone https://github.com/rafaelcalhau/boilerplate-nodejs-mysql.git my-awesome-js-project

    cd my-awesome-js-project

    yarn // or npm install

docker-compose up -d

The project eslint-plugin-security helps to identify potential security hotspots.

Your application won't show that was developed using Express.js, preventing to send this info to attackers.

Very popular and good practice. We should use the package dotenv in order to use .env files in our application

From the NGINX blog:

Rate limiting can be used for security purposes, for example to slow down brute‑force password‑guessing attacks. It can help protect against DDoS attacks by limiting the incoming request rate to a value typical for real users, and (with logging) identify the targeted URLs. More generally, it is used to protect upstream application servers from being overwhelmed by too many user requests at the same time.

Your application should be using secure headers to prevent attackers from using common attacks like cross-site scripting (XSS), clickjacking and other malicious attacks. These can be configured easily using modules like helmet.

We're using bcrypt.js for users passwords. This package offer an optimized implementation of Bcrypt for JavaScript and is widely trusted and used over the Internet.

We're using Jest and Supertest. These libraries together can offer a lot of possibilities to build complete and trusteable tests. The base structure is already ready for you and there are a few tests available.

• Jestjs.io: Jest is a delightful JavaScript Testing Framework with a focus on simplicity.
• Supertest: Super-agent driven library for testing node.js HTTP servers using a fluent API.

To run a test:

yarn test

or

npm test

We’re under attack! 23+ Node.js security best practices