Security Points to consider

[michaelbromley]

Here is a dump of some notes I took from a security lecture (slides) with points that need research in relation to Vendure:

CSRF mitigation:

• require non-standard header (do we already do this?). E.g. require 'X-CSRF-TOKEN' header on all requests.
• SameSite cookie attribute.

XSS mitigation:

• Attack vector - e.g. reviews in shop, order notes etc.
• Add CSP (Content Security Policy) header in Admin UI.
• Does Angular need "unsafe eval" enabled to work with CSP?

Other

• Check sanitization of product descriptions (all HTML inputs using Trix editor). Try to get an Alert in the storefront.

• Check against the the threat model slide

• Consider @Allow() access control for property resolvers (would solve Security: Disallow querying of personal data for guest Customers #98).

[michaelbromley]

I've reviewed the points above and here is the current status:

• helmet is a good general solution for several attack vectors, and for implementing CSP. It can be added as middleware using VendureConfig. I added a note to this in the deployment docs.
• XSS protections are particularly strong in Angular, with it's AOT compilation model plus built-in distrust of external data in templates.
• SameSite is interpreted as lax by modern browsers, which protects against CSRF. It can be further customised using the authOptions.cookieOptions settings.
• Review of the thread model slide lead me to create this issue: Configurable password policy #863 which can be handled in a future release.
• The @Allow() decorator does now support access control on property resolvers.