• Encryption at Rest: Database stored outside web root with restricted permissions (700)
• Secure Location: Database moved from ./data/ to system-appropriate directories:
  • Development: ~/.linkgen/linkgen.db
  • Production: /var/lib/linkgen/linkgen.db
• Strong Encryption: Enhanced AES-256-CBC encryption with PBKDF2 key derivation (100,000 iterations)

• Strong Password Hashing: bcrypt with cost factor 14 for production (vs 10 for development)
• Secure JWT:
  • Cryptographically secure JWT secrets (64+ characters)
  • Algorithm restriction (HS256 only)
  • JWT ID (jti) for token tracking
  • IP address validation
• Timing Attack Protection: Constant-time password comparison
• Rate Limiting: Aggressive rate limiting on authentication endpoints (5 attempts per 15 minutes)

• UUID Validation: Strict UUID v4 format validation for document IDs
• Content Limits:
  • Document content: 1MB max
  • File uploads: 10MB per file, 10 files max
  • Title: 200 characters max
  • Password: 200 characters max
• File Type Restrictions: Whitelist of allowed MIME types
• Input Sanitization: Removal of potentially dangerous characters

• Helmet.js: Comprehensive security headers
  • Content Security Policy (CSP)
  • HSTS (Strict Transport Security)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • X-XSS-Protection
• CORS Configuration: Environment-based CORS with production restrictions
• Rate Limiting: Multiple tiers of rate limiting
  • General: 100 requests per 15 minutes
  • Auth: 5 attempts per 15 minutes
  • Upload: 10 uploads per minute

• Content Encryption: Enhanced AES-256-CBC with salt and IV
• Password Protection: bcrypt with high cost factor
• Secure Random Generation: Cryptographically secure random bytes for keys and IVs
• Memory Protection: Sensitive data cleared from memory when possible

• Error Handling: No sensitive information in error responses
• Logging: Security events logged without exposing sensitive data
• Graceful Shutdown: Proper cleanup on application termination
• Environment Validation: Warnings for insecure default configurations

# CRITICAL: Set these before production deployment
ADMIN_PASSWORD=your-ultra-secure-password-here
JWT_SECRET=minimum-64-character-cryptographically-secure-secret
DB_ENCRYPTION_KEY=32-character-minimum-database-encryption-key
ALLOWED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com
NODE_ENV=production

• Database directory permissions: 700 (owner read/write/execute only)
• Application user: Non-root user with minimal privileges
• Database location: /var/lib/linkgen/ (outside web root)

• HTTPS only (TLS 1.2+)
• Reverse proxy (nginx/Apache) configuration
• Firewall rules (only necessary ports open)
• DDoS protection

• Failed authentication attempts
• Rate limit violations
• File upload attempts
• Database errors

1. Use Strong Passwords: Minimum 16 characters with mixed case, numbers, symbols
2. Regular Updates: Keep dependencies updated
3. Monitor Logs: Watch for suspicious activity
4. Backup Security: Encrypt database backups
5. Access Control: Limit admin access to trusted networks

1. Strong Document Passwords: Use unique, strong passwords for sensitive documents
2. Minimal Exposure: Set appropriate view limits and expiry times
3. Sensitive Data: Consider additional encryption for highly sensitive content

server {
    listen 443 ssl http2;
    server_name yourdomain.com;
    
    # SSL Configuration
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
    
    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    
    # Rate Limiting
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/m;
    limit_req zone=api burst=20 nodelay;
    
    location / {
        proxy_pass http://localhost:3001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

1. Immediate: Change all passwords and secrets
2. Isolate: Take application offline if necessary
3. Investigate: Check logs for unauthorized access
4. Notify: Inform users if data may be compromised
5. Update: Patch vulnerabilities and redeploy

• Monthly: Update dependencies
• Weekly: Review access logs
• Daily: Monitor error rates
• Quarterly: Security audit and penetration testing

For security issues or questions:

• Create issue with security label
• For sensitive security reports, use responsible disclosure

⚠️ Remember: Security is an ongoing process, not a one-time setup. Regularly review and update these configurations based on the latest security recommendations.