Tutorial: Security Audit
Run a comprehensive security audit using Bootspring's security workflow.
What You'll Learn#
- Using the security-audit workflow
- Dependency vulnerability scanning
- Code security analysis
- Configuration review
- Remediation strategies
Prerequisites#
- Existing application codebase
- Bootspring initialized
- Git repository
Time Required#
Approximately 30 minutes.
Step 1: Start the Security Audit Workflow#
bootspring workflow start security-auditThe workflow has 4 phases:
- Scan - Automated security scanning
- Analyze - Risk assessment
- Report - Document findings
- Remediate - Fix issues
Step 2: Scan Phase#
Dependency Scanning#
The workflow first scans dependencies for known vulnerabilities.
Ask the security-expert:
bootspring agent invoke security-expert "Scan dependencies for vulnerabilities"Manual npm audit:
npm auditStatic Code Analysis#
Install and run security linters:
1# Install eslint security plugin
2npm install -D eslint-plugin-security
3
4# Add to eslint config
5# .eslintrc.js
6module.exports = {
7 plugins: ['security'],
8 extends: ['plugin:security/recommended'],
9};
10
11# Run analysis
12npm run lintSecrets Detection#
Check for exposed secrets:
# Install gitleaks
brew install gitleaks
# Scan repository
gitleaks detect --source . --verboseConfiguration Review#
Check security configurations:
bootspring agent invoke security-expert "Review security configurations in next.config.js, middleware.ts, and environment variables"Step 3: Analyze Phase#
Risk Assessment#
Categorize findings by severity:
| Severity | Criteria | Response Time |
|---|---|---|
| Critical | Remote code execution, data breach | Immediate |
| High | Authentication bypass, SQL injection | 24-48 hours |
| Medium | XSS, information disclosure | 1 week |
| Low | Minor misconfigurations | Next sprint |
Common Vulnerabilities to Check#
Ask the security-expert:
bootspring agent invoke security-expert "Check for OWASP Top 10 vulnerabilities in a Next.js application"1. Injection Attacks#
1// BAD: SQL injection vulnerable
2const users = await prisma.$queryRaw`
3 SELECT * FROM users WHERE name = ${userInput}
4`;
5
6// GOOD: Use parameterized queries
7const users = await prisma.user.findMany({
8 where: { name: userInput },
9});2. Broken Authentication#
1// Check session configuration
2// middleware.ts
3import { authMiddleware } from '@clerk/nextjs';
4
5export default authMiddleware({
6 publicRoutes: ['/', '/api/public'],
7 // Ensure sensitive routes require auth
8});3. Sensitive Data Exposure#
1// BAD: Exposing sensitive data
2return NextResponse.json(user);
3
4// GOOD: Select only necessary fields
5return NextResponse.json({
6 id: user.id,
7 name: user.name,
8 email: user.email,
9 // Exclude password, tokens, etc.
10});4. Security Headers#
1// next.config.js
2const securityHeaders = [
3 {
4 key: 'X-DNS-Prefetch-Control',
5 value: 'on',
6 },
7 {
8 key: 'Strict-Transport-Security',
9 value: 'max-age=63072000; includeSubDomains; preload',
10 },
11 {
12 key: 'X-Frame-Options',
13 value: 'SAMEORIGIN',
14 },
15 {
16 key: 'X-Content-Type-Options',
17 value: 'nosniff',
18 },
19 {
20 key: 'Referrer-Policy',
21 value: 'origin-when-cross-origin',
22 },
23 {
24 key: 'Content-Security-Policy',
25 value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline';",
26 },
27];
28
29module.exports = {
30 async headers() {
31 return [
32 {
33 source: '/:path*',
34 headers: securityHeaders,
35 },
36 ];
37 },
38};5. Rate Limiting#
1// Verify rate limiting is in place
2import { rateLimit } from '@/lib/rate-limit';
3
4export async function POST(request: Request) {
5 const ip = request.headers.get('x-forwarded-for') || 'anonymous';
6
7 try {
8 await rateLimiter.check(100, ip); // 100 requests per minute
9 } catch {
10 return new Response('Too Many Requests', { status: 429 });
11 }
12
13 // Continue with request
14}Step 4: Report Phase#
Generate Security Report#
bootspring agent invoke security-expert "Generate a security audit report for our findings" --output reviewReport Structure#
1# Security Audit Report
2
3**Date**: March 20, 2024
4**Application**: MyApp
5**Auditor**: Bootspring Security Expert
6
7## Executive Summary
8
9Overall security posture: [Good/Fair/Needs Improvement]
10Critical findings: X
11High findings: X
12Medium findings: X
13Low findings: X
14
15## Findings
16
17### Critical
18
19#### [CRIT-001] SQL Injection in User Search
20- **Location**: app/api/users/search/route.ts:15
21- **Description**: User input directly concatenated into SQL query
22- **Impact**: Attacker could extract or modify database data
23- **Recommendation**: Use parameterized queries via Prisma
24- **Remediation Priority**: Immediate
25
26### High
27
28#### [HIGH-001] Missing Rate Limiting on Auth Endpoints
29- **Location**: app/api/auth/*/route.ts
30- **Description**: No rate limiting on authentication endpoints
31- **Impact**: Susceptible to brute force attacks
32- **Recommendation**: Implement rate limiting middleware
33- **Remediation Priority**: 24-48 hours
34
35### Medium
36
37#### [MED-001] Verbose Error Messages
38- **Location**: Various API routes
39- **Description**: Stack traces exposed in error responses
40- **Impact**: Information disclosure to attackers
41- **Recommendation**: Use generic error messages in production
42
43### Low
44
45#### [LOW-001] Missing Security Headers
46- **Location**: next.config.js
47- **Description**: Some recommended security headers missing
48- **Impact**: Minor security hardening opportunity
49
50## Recommendations
51
521. Implement input validation on all user inputs
532. Add rate limiting to all API endpoints
543. Enable all recommended security headers
554. Set up automated dependency scanning in CI
565. Conduct regular security reviews
57
58## Compliance Checklist
59
60- [ ] OWASP Top 10 mitigated
61- [ ] GDPR requirements addressed
62- [ ] SOC 2 controls implemented
63- [ ] PCI DSS compliance (if applicable)Step 5: Remediate Phase#
Fix Critical Issues First#
SQL Injection Fix:
1// Before
2const query = `SELECT * FROM users WHERE name LIKE '%${search}%'`;
3
4// After
5const users = await prisma.user.findMany({
6 where: {
7 name: {
8 contains: search,
9 mode: 'insensitive',
10 },
11 },
12});Implement Rate Limiting#
1// lib/rate-limit.ts
2import { LRUCache } from 'lru-cache';
3
4const rateLimiter = new LRUCache({
5 max: 500,
6 ttl: 60 * 1000, // 1 minute
7});
8
9export function checkRateLimit(key: string, limit: number): boolean {
10 const count = (rateLimiter.get(key) as number) || 0;
11
12 if (count >= limit) {
13 return false;
14 }
15
16 rateLimiter.set(key, count + 1);
17 return true;
18}
19
20// Usage in API route
21export async function POST(request: Request) {
22 const ip = request.headers.get('x-forwarded-for') || 'unknown';
23
24 if (!checkRateLimit(ip, 10)) {
25 return new Response('Too Many Requests', {
26 status: 429,
27 headers: { 'Retry-After': '60' },
28 });
29 }
30
31 // Continue...
32}Add Security Headers#
Apply the security headers configuration from Step 3.
Update Dependencies#
1# Check for updates
2npm outdated
3
4# Update dependencies
5npm update
6
7# Fix vulnerabilities
8npm audit fix
9
10# Force fix (use caution)
11npm audit fix --forceStep 6: Verify Fixes#
Re-run Scans#
1# Dependency scan
2npm audit
3
4# Secrets scan
5gitleaks detect
6
7# Linting
8npm run lintRun Quality Gate#
bootspring quality pre-deploySecurity Checklist#
- All critical issues fixed
- All high issues fixed or tracked
- Security headers configured
- Rate limiting implemented
- Dependency vulnerabilities resolved
- Secrets not exposed
- Error handling sanitized
Step 7: Ongoing Security#
Set Up Automated Scanning#
1# .github/workflows/security.yml
2name: Security Scan
3
4on:
5 push:
6 branches: [main]
7 pull_request:
8 schedule:
9 - cron: '0 0 * * 0' # Weekly
10
11jobs:
12 security:
13 runs-on: ubuntu-latest
14 steps:
15 - uses: actions/checkout@v4
16
17 - name: Run npm audit
18 run: npm audit --audit-level=moderate
19
20 - name: Run gitleaks
21 uses: gitleaks/gitleaks-action@v2
22
23 - name: Run Snyk
24 uses: snyk/actions/node@master
25 env:
26 SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}Schedule Regular Audits#
- Monthly dependency reviews
- Quarterly security audits
- Annual penetration testing
Verification Checklist#
- Workflow completed all phases
- Report generated and reviewed
- Critical/high issues remediated
- Automated scanning configured
- Team trained on security practices
What You Learned#
- Running security audit workflows
- Common vulnerability patterns
- Security header configuration
- Remediation strategies
- Ongoing security practices