Skip to content
Korta

Security Notes

Threat model

Section titled “Threat model”

Primary risks considered for this project:

  • Abuse of public endpoints (bot traffic, brute force, high-frequency calls).
  • Unauthorized access to private user resources (link edit/delete, API key actions).
  • Credential leakage (JWT secrets, OAuth secrets, SMTP keys, DB credentials).
  • Input abuse (invalid URLs, malformed payloads, route probing).
  • Service disruption due to infrastructure limits (free-tier constraints).

Security controls

Section titled “Security controls”

  • Authentication:

    • Email/password login with hashed passwords (argon2).
    • Google OAuth login flow.
    • Email verification gate (isVerified) before protected operations.
    • JWT access tokens with expiration.
    • API key auth (X-API-Key) for integrations.

  • Authorization:

    • Protected routes require valid JWT or API key.
    • Ownership checks on mutable URL operations (PATCH/DELETE /urls/:shortId).
    • Unverified users are blocked from authenticated usage.

  • Input validation:

    • Request validation with Zod schemas.
    • Frontend URL validation uses parser normalization (new URL) to avoid regex backtracking risks.
    • Backend keeps strict URL validation on shorten/update endpoints.
    • Structured error responses for invalid input.

  • Abuse control:

    • Global API rate limiting (100 requests / 10 minutes / IP).
    • CORS allowlist for production frontend origins.

  • Secrets handling:

    • Secrets provided via environment variables (never hardcoded in source).
    • Separate secrets per environment.
    • Rotate credentials after accidental exposure.

Incident response

Section titled “Incident response”

  • Detection:

    • Monitor backend logs for repeated 401, 403, 429, and unusual traffic spikes.
    • Track OAuth and CORS failures for configuration drift.

  • Containment:

    • Regenerate compromised API keys immediately.
    • Rotate exposed secrets (JWT_SECRET, DB credentials, OAuth secret, SMTP secret).
    • Restrict allowed CORS origins if abuse source is identified.
    • Temporarily tighten rate limits if needed.

  • Recovery:

    • Redeploy with rotated secrets and verified env configuration.
    • Validate auth flow (/auth/login, /auth/me, /auth/google/callback).
    • Verify API health (/api/v1/health) and critical URL flows.
    • Restore data from DB backups if required by data-loss event.

Security checklist

Section titled “Security checklist”
  • Production secrets are set via env vars and never committed.
  • JWT_SECRET is strong, unique, and rotated when needed.
  • CORS_ORIGINS and FRONTEND_URL match production domains exactly.
  • Google OAuth origin and callback URI match deployed URLs.
  • Rate limiter is active in production.
  • Ownership checks exist for all mutating private URL endpoints.
  • API keys can be regenerated and old keys become invalid.
  • Incident rotation procedure is documented and tested.