Practice & Assessment
Test your understanding of Security Hardening and Production Auth
Multiple Choice Questions
6Why are JWT Bearer tokens in the Authorization header immune to CSRF attacks?
A login endpoint returns 'Invalid password' for wrong passwords and 'User not found' for unknown emails. What attack does this enable?
What is the risk of enabling HSTS with a one-year maxAge on a domain before testing?
Which of the following should NEVER appear in application log output?
Why should bcrypt cost factor (salt rounds) be set to 12 or higher for new projects in 2024?
Per-IP rate limiting on login can be bypassed. What additional layer makes it significantly more resilient?
Coding Challenges
1Login Endpoint with Rate Limiting and Brute Force Protection
Build a POST /auth/login endpoint with two layers of brute force protection: express-rate-limit middleware limiting to 10 requests per 15-minute window per IP (return 429 on exceed), and an in-memory per-account failed attempt counter (using a Map with email as key) that locks out an account after 5 consecutive failures for 15 minutes (return 429 with lockout message). On successful login, reset the per-account counter. Use a hardcoded user array with bcrypt-hashed passwords. Return identical error messages for both 'wrong password' and 'user not found' cases. Log each attempt with event type, timestamp, and whether it succeeded. Input: POST with { email, password }. Output: { token } on success, { error } on failure. Estimated time: 25-30 minutes.
Mini Project
Production-Hardened Auth API
Build a complete, production-hardened Express auth API incorporating all module concepts. Requirements: helmet.js with HSTS and CSP configured, login with both per-IP rate limiting (express-rate-limit) and per-account lockout (Redis Map, 5 attempts / 15 min), bcrypt at cost 12, JWT access tokens (15 min) with HS256 and explicit algorithms whitelist, refresh tokens in HttpOnly Secure SameSite=Strict cookies, CSRF protection via Origin header validation on state-mutating routes, structured pino logging for all auth events (never log tokens or passwords), session regeneration for cookie-based flows, uniform error messages that prevent enumeration, and a GET /auth/security-report endpoint (admin only) returning counts of failed logins and rate limit triggers from the last hour. Document every security decision with inline comments.