docs: add NestJS security cheatsheet #1988
docs: add NestJS security cheatsheet #1988Riya-chandra wants to merge 3 commits intoOWASP:masterfrom
Conversation
jmanico
left a comment
jmanico
left a comment
There was a problem hiding this comment.
This is a well organized piece of work and I like it.
Riya-chandra
changed the title
|
@jmanico Thankyou sir |
|
Great contribution! This will be helpful for the community. 🔥 |
|
Thanks for the great work! |
|
Please carefully add your new cheatsheet here in this PR. https://github.com/OWASP/CheatSheetSeries/blob/master/Index.md |
|
@jmanico i have added the cheatsheet in the index.md......please have a look |
jmanico
left a comment
jmanico
left a comment
There was a problem hiding this comment.
Please give us time for the other reviewers to review this.
|
lint errors in markdown: cheatsheets/NestJs_Security_Cheat_Sheet.md:31 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: " |
|
Is NestJS documentation covering that already? |
There was a problem hiding this comment.
Pull request overview
This PR adds a new NestJS-focused security cheat sheet to complement the existing Node.js/Express guidance, and links it from the main index to address issue #1986.
Changes:
- Added a new
NestJs_Security_Cheat_Sheet.mdcovering request lifecycle security controls, validation/mass-assignment defenses, authz patterns, and secure middleware configuration. - Updated
Index.mdto include the new NestJS cheat sheet under the “N” section.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 10 comments.
| File | Description |
|---|---|
| cheatsheets/NestJs_Security_Cheat_Sheet.md | New NestJS security mini-cheatsheet with implementation snippets and checklists. |
| Index.md | Adds an index entry pointing readers to the new NestJS cheat sheet. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
|
|
||
| ## N | ||
|
|
||
| [NestJS Security Cheat Sheet](cheatsheets/NestJS_Security_Cheat_Sheet.md) |
| ```bash | ||
| # Attacker payload | ||
| POST /users | ||
| { "email": "user@test.com", "password": "pass", "role": "admin" } | ||
|
|
||
| # With forbidNonWhitelisted: true | ||
| → 400 Bad Request: "property role should not exist" | ||
|
|
| canActivate(context: ExecutionContext): boolean { | ||
| const requiredRoles = this.reflector.get<Role[]>(ROLES_KEY, context.getHandler()); | ||
| if (!requiredRoles) return true; |
| contentSecurityPolicy: { | ||
| directives: { | ||
| defaultSrc: ["'self'"], | ||
| scriptSrc: ["'self'"], | ||
| styleSrc: ["'self'", "'unsafe-inline'"], |
| validationSchema: Joi.object({ | ||
| NODE_ENV: Joi.string().valid('development', 'production').required(), | ||
| JWT_SECRET: Joi.string().min(32).required(), | ||
| DATABASE_URL: Joi.string().required(), |
| import { ExceptionFilter, Catch, HttpException, HttpStatus } from '@nestjs/common'; | ||
|
|
||
| @Catch() | ||
| export class GlobalExceptionFilter implements ExceptionFilter { | ||
| catch(exception: unknown, host: ArgumentsHost) { | ||
| const ctx = host.switchToHttp(); |
| | Security Control | Where to Apply | Key Setting | | ||
| | --------------- | -------------- | ----------- | | ||
| | Input Validation | Global Pipe | `forbidNonWhitelisted: true` | | ||
| | Authentication | Guard | Apply before RolesGuard | | ||
| | CORS | Middleware | Specific origins only | | ||
| | Rate Limiting | Global Guard | Stricter on auth routes | |
| const requiredRoles = this.reflector.get<Role[]>(ROLES_KEY, context.getHandler()); | ||
| if (!requiredRoles) return true; | ||
|
|
||
| const { user } = context.switchToHttp().getRequest(); |
| app.enableCors({ | ||
| origin: process.env.ALLOWED_ORIGINS?.split(','), |
| import { extname } from 'path'; | ||
|
|
||
| export const imageUploadOptions = { | ||
| storage: diskStorage({ | ||
| destination: './uploads', | ||
| filename: (req, file, cb) => { | ||
| const uniqueName = `${Date.now()}${extname(file.originalname)}`; | ||
| cb(null, uniqueName); |
Description
This PR introduces a new mini-cheatsheet specifically for NestJS security best practices. While the current Node.js sheet covers Express, this addition provides framework-native patterns for NestJS's unique architecture.
Key Sections:
Request Lifecycle: Strategic placement of security controls across Middleware, Guards, and Pipes.
Input Validation: Strict ValidationPipe setup to mitigate Mass Assignment risks.
Secure Defaults: Hardened Helmet and CORS configurations.
This PR fixes issue #1986.
Verification Results
Technical Accuracy: Snippets verified against NestJS v10+ standards.
Local Build: Verified that the new sheet renders correctly in the navigation under "Languages and Frameworks" using mkdocs serve.
Style: Content is kept concise as requested by the maintainers.
Thank you!