Security checklist with wasp
Hi, I've been building with wasp for the last 3-ish months.
As launching is coming closer I'm becoming more and more concerned with security.
Some steps I've taken are making sure npm audit reads 0 vulnerabilities, making sure backend functions only take/return/update what is needed, etc.
Only thing I'm worried about are "unknown unknowns". Is there a security checklist I could use that applies to the default wasp stack?
4 Replies
Hi @I’m not kidding.. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
I understand your concerns about security as you approach your launch with Wasp. While there isn't a specific security checklist mentioned in the knowledge sources for the default Wasp stack, I can share some security considerations that Wasp implements and some best practices based on the information available.
Security Features in Wasp
Wasp already implements several security best practices by default:
1. Security Headers: Wasp uses the 'helmet' npm package in the Node.js server which provides various security headers like:
- Removing X-Powered-By header
- Setting Strict-Transport-Security
- Setting X-Frame-Options to SAMEORIGIN (helps against clickjacking)
- Setting X-Content-Type-Options to nosniff
- And several other security headers Github Issue #22
2. Built-in Security Best Practices: Wasp mentions that it maintains code for you, so you don't have to worry about keeping up with the latest security best practices Wasp Docs
Additional Security Considerations
Based on the knowledge sources, here are some areas to focus on:
1. Environment Variables:
- Ensure your environment variables like
REACT_APP_API_URL and WASP_WEB_CLIENT_URL are valid URLs Github Issue #756
- Make sure required environment variables are properly set Github Issue #175
2. Authentication & Authorization:
- Implement proper access control for your operations
- Follow the principle of "deny access by default" as recommended by OWASP
- Be careful not to accidentally expose sensitive data like hashed passwords Github Issue #584
3. Database Security:
- Ensure your database migrations are up to date with wasp db migrate-dev
- Be cautious about what data you expose through your APIs Github Issue #214
4. Dependency Management:
- Continue monitoring npm vulnerabilities as you've been doing
- Consider the trade-off between pinning dependency versions for stability vs. getting security updates Github Issue #646
5. Reporting Security Issues:
- Wasp has a security policy in place, and you can report vulnerabilities to their team if you find any in the framework itself Github Issue #697
For a more comprehensive security review, you might want to look into general web application security checklists like those provided by OWASP, as they would apply to the technologies Wasp uses (React, Node.js, and Prisma).
The "unknown unknowns" are always challenging, but following established security practices and keeping your dependencies updated will help mitigate many common security risks.
Kapa AI
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @I’m not kidding., I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?Maybe @miho can give some tips here
It depens somewhat on your deployment method, are you self hosting on some sort of VPS? A lot of security tips go in the direction of securing your server. If you are using Fly or Railway - these worries are mostly handled for you.
One big security thing to consider is that you are validating access on the server and not in the client. e.g. checking the
context.user to see if they have access to certain queries and actions. That's the big one.
Another one would be to make sure that users can't edit stuff they shouldn't be able to e.g. doing context.entities.Task.create({ data: args }) <---- db will save anything the user sends... you'd want to be very explicit e.g. context.entities.Task.create({ data: { name: args.name } }).
One extra one - make sure you use Zod or smth like that to validate the data received from the client as well. Look at the latest Open Saas source code to find an example: https://github.com/wasp-lang/open-saas/blob/main/template/app/src/file-upload/operations.ts#L32
This list is non exhaustive, I'd suggest searching for general Node.js and React security tips online since Wasp is just using that under the hood 🙂GitHub
open-saas/template/app/src/file-upload/operations.ts at main · was...
A free, open-source SaaS app starter for React & Node.js with superpowers. Full-featured. Community-driven. - wasp-lang/open-saas
Thanks a lot for this - this is super helpful.
Maybe, ( if you feel there is a demand), a brief security checklist with the key points that pertain to wasp might be good in the wasp / openSaaS docs?
Maybe not necessary, though. Just a suggestion, because I assume that a lot of people that are actually quite inexperienced devs (like myself) are being drawn to wasp/openSaaS to get their MVPs out quickly, it might catch some glaring vulnerabilities before they go out to the world.
Regardless, your help here is very appreciated, thank you!