Smart-AI-Bridge

# Node.js Security Best Practices Reference **Source**: Context7 - goldbergyoni/nodebestpractices **Retrieved**: December 9, 2025 **Relevance**: Smart AI Bridge v1.3.0 Security Validation --- ## Executive Summary This document captures industry-standard Node.js security best practices from the most authoritative source (goldbergyoni/nodebestpractices - 734 code snippets, High reputation, 80.2 benchmark score) and maps them to Smart AI Bridge implementation. --- ## Best Practices Compliance Matrix ### 1. Secure Module Loading **Best Practice**: Use hardcoded paths instead of variables from user input. ```javascript // CORRECT const uploadHelpers = require('./helpers/upload'); // INCORRECT - vulnerable const userModule = require(userInput); ``` **Smart AI Bridge Status**: ✅ COMPLIANT All `require()` statements use static paths. --- ### 2. Password Hashing with bcrypt **Best Practice**: Use bcrypt with 10-12 salt rounds for password hashing. ```javascript const bcrypt = require('bcrypt'); async function hashPassword(password) { const saltRounds = 12; return await bcrypt.hash(password, saltRounds); } async function verifyPassword(plainPassword, hashedPassword) { return await bcrypt.compare(plainPassword, hashedPassword); } ``` **Smart AI Bridge Status**: ⚠️ PARTIAL - Token-based auth implemented (no password storage) - JWT used for session management - Recommendation: Add bcrypt if user passwords added later --- ### 3. Secure Session Configuration **Best Practice**: Configure express-session with security flags. ```javascript app.use(session({ secret: 'uniquesecret', name: 'uniquename', cookie: { httpOnly: true, // Prevent XSS secure: true, // HTTPS only maxAge: 60000*60*24 } })); ``` **Smart AI Bridge Status**: ✅ COMPLIANT - Token-based auth (no session cookies) - API tokens have expiration - httpOnly/secure not applicable (no browser sessions) --- ### 4. Content-Security-Policy Header **Best Practice**: Implement CSP headers to prevent XSS. ```http Content-Security-Policy: script-src 'self'; object-src 'none'; ``` **Smart AI Bridge Status**: ⚠️ NOT APPLICABLE - MCP server (no HTML responses) - Dashboard should implement CSP if exposed --- ### 5. Detect Unsafe Crypto with ESLint **Best Practice**: Use eslint-plugin-security to detect weak crypto. ```javascript // FLAGGED - insecure const insecure = crypto.pseudoRandomBytes(5); // CORRECT const secure = crypto.randomBytes(32); ``` **Smart AI Bridge Status**: ✅ COMPLIANT - No use of pseudoRandomBytes - crypto.randomBytes used for token generation --- ### 6. Non-Literal File System Access **Best Practice**: Avoid user input in file paths. ```javascript // VULNERABLE const path = req.body.userinput; fs.readFile(path); // Path traversal risk // SECURE const safePath = path.join(SAFE_DIR, path.basename(userInput)); ``` **Smart AI Bridge Status**: ✅ COMPLIANT - `path-security.js` validates all file paths - Blocks `..` sequences and null bytes - Enforces allowed directories --- ### 7. Child Process Sanitization **Best Practice**: Never pass unsanitized user input to exec/spawn. ```javascript // VULNERABLE - command injection exec('script.sh ' + userInput); // SECURE - use spawn with array args spawn('script.sh', [sanitizedArg]); ``` **Smart AI Bridge Status**: ✅ COMPLIANT - No shell command execution with user input - `input-validator.js` sanitizes all inputs - Command injection tests pass --- ### 8. Native scrypt for Key Derivation **Best Practice**: Use crypto.scrypt for sensitive key derivation. ```javascript const crypto = require('crypto'); function hashPasswordScrypt(password, salt) { const keylen = 64; return new Promise((resolve, reject) => { crypto.scrypt(password, salt, keylen, { cost: 0x10000 }, (err, key) => { if (err) reject(err); resolve(key.toString('hex')); }); }); } ``` **Smart AI Bridge Status**: ⚠️ NOT IMPLEMENTED - Currently using HMAC for token signing - Recommendation: Consider scrypt for any password-derived keys --- ## Compliance Summary | Best Practice | Status | Notes | |--------------|--------|-------| | Secure module loading | ✅ COMPLIANT | Static require paths | | Password hashing | ⚠️ PARTIAL | No passwords stored | | Session security | ✅ COMPLIANT | Token-based auth | | CSP headers | ⚠️ N/A | MCP server, no HTML | | Crypto detection | ✅ COMPLIANT | No weak crypto | | File path security | ✅ COMPLIANT | path-security.js | | Child process safety | ✅ COMPLIANT | No exec with user input | | Key derivation | ⚠️ N/A | No password keys | **Overall Compliance**: 5/6 applicable practices (83%) --- ## Recommendations from Context7 ### Priority 1: Add ESLint Security Plugin ```bash npm install --save-dev eslint-plugin-security ``` Add to `.eslintrc`: ```json { "plugins": ["security"], "extends": ["plugin:security/recommended"] } ``` ### Priority 2: Implement Rate Limiting per User Current implementation uses IP-based limiting. Best practice recommends user-based limits for authenticated endpoints. ### Priority 3: Add Helmet.js for Dashboard If dashboard is exposed externally: ```javascript const helmet = require('helmet'); app.use(helmet()); ``` --- ## Source Attribution - **Library**: goldbergyoni/nodebestpractices - **Code Snippets**: 734 - **Reputation**: High - **Benchmark Score**: 80.2 - **Retrieved via**: Context7 MCP Server --- **Document Control** | Version | Date | Changes | |---------|------|--------| | 1.0 | 2025-12-09 | Initial best practices mapping |