Security

​

Infrastructure Security

​

HTTP Headers (Helmet)

The backend uses the Helmet middleware to set various HTTP headers that protect the app from common attacks like Cross-Site Scripting (XSS), Clickjacking, and MIME-type sniffing.

​

Cross-Origin Resource Sharing (CORS)

CORS is strictly configured to only allow requests from authorized frontend domains (e.g., pyqdeck.in and its subdomains).

​

Rate Limiting

To prevent Brute Force and Denial of Service (DoS) attacks, we implement rate limiting at two levels:

1. Global Rate Limit: Applied to all standard API endpoints.
2. Specific Rate Limit: Stricter limits on sensitive endpoints like login (Clerk) and webhooks.

​

Data Security

​

Authentication

Handled by Clerk, ensuring industry-standard session management, password hashing, and Multi-Factor Authentication (MFA) capabilities.

​

Authorization (RBAC)

Strict Role-Based Access Control ensures that only users with admin or editor roles can access sensitive management endpoints.

​

Input Sanitization

• NoSQL Injection: We use the escapeRegExp utility for MongoDB $regex queries to prevent regex-based NoSQL injection.
• Validation: Zod schemas enforce strict data types and lengths for all incoming data.

​

Code & Dependency Security

• CodeQL: Automated static analysis on every PR to find potential security vulnerabilities in our custom logic.
• pnpm audit: Regular scanning of the dependency tree for known vulnerabilities.
• Dependabot: Keeps our packages up-to-date automatically.

​

Content Freeze Mechanism

PyqDeck includes a “Content Freeze” mechanism managed via the PlatformConfig model and checkContentFreeze middleware.

• Purpose: When enabled (e.g., during major migrations or maintenance), all “write” operations (POST, PATCH, DELETE) are blocked for non-admin users.
• Scope: Applied to resources like Universities, Subjects, and Papers.
• Override: Admins can still make changes even during a freeze.