> nestjs-security
Authentication, RBAC, and Hardening standards. Use when implementing JWT auth, RBAC guards, or security hardening in NestJS. (triggers: **/*.guard.ts, **/*.strategy.ts, **/auth/**, Passport, JWT, AuthGuard, CSRF, Helmet)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/nestjs-security?format=md"NestJS Security Standards
Priority: P0 (CRITICAL)
Authentication (JWT)
- Strategy: Use
@nestjs/passportwithpassport-jwt. - Algorithm: Enforce
RS256(preferred) orHS256. Rejectnone. - Claims: Validate
issandaud. - Tokens: Short access (15m), Long httponly refresh (7d).
- MFA: Require 2FA for admin panels.
Authorization (RBAC)
- Deny by default: Bind
AuthGuardglobally (APP_GUARD). - Bypass: Create
@Public()decorator for open routes. - Roles: Use
Reflector.getAllAndOverridefor Method/Class merge.
Cryptography
- Hashing: Use Argon2id, not Bcrypt. See implementation.
- Encryption: Use AES-256-GCM with KMS rotation. See implementation.
Hardening
- Helmet: Mandatory. Enable HSTS, CSP.
- CORS: Explicit origins only. No
*. - Throttling: Use Redis-backed
@nestjs/throttlerin production. - CSRF: Required for cookie-based auth. See implementation.
Data Protection
- Sanitization: Use
ClassSerializerInterceptor+@Exclude(). - Validation:
ValidationPipe({ whitelist: true })to prevent mass assignment. - Audit: Log mutations (Who, What, When). See implementation.
Secrets Management
- CI/CD: Run
npm audit --prodin pipelines. - Runtime: Inject via vault (AWS Secrets Manager / HashiCorp Vault), not
.env.
Anti-Patterns
- No Shadow APIs: Audit routes regularly; disable
/docsin production. - No SSRF: Allowlist domains for all outgoing HTTP requests.
- No SQLi: Use ORM; avoid raw
query()with string concatenation. - No XSS: Sanitize HTML input with
dompurify.
Related Topics
common/security-standards | architecture | database
> related_skills --same-repo
> typescript-tooling
Development tools, linting, and build config for TypeScript. Use when configuring ESLint, Prettier, Jest, Vitest, tsconfig, or any TS build tooling. (triggers: tsconfig.json, .eslintrc.*, jest.config.*, package.json, eslint, prettier, jest, vitest, build, compile, lint)
> typescript-security
Secure coding practices for TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration. (triggers: **/*.ts, **/*.tsx, validate, sanitize, xss, injection, auth, password, secret, token)
> typescript-language
Modern TypeScript standards for type safety and maintainability. Use when working with types, interfaces, generics, enums, unions, or tsconfig settings. (triggers: **/*.ts, **/*.tsx, tsconfig.json, type, interface, generic, enum, union, intersection, readonly, const, namespace)
> typescript-best-practices
Idiomatic TypeScript patterns for clean, maintainable code. Use when writing or refactoring TypeScript classes, functions, modules, or async logic. (triggers: **/*.ts, **/*.tsx, class, function, module, import, export, async, promise)