CDP 35948520/Checkliste Node.js: 4 Web App Security Checks #34

New Issue

Closed

opened 2026-04-16 09:56:09 +02:00 by Hartmut · 2 comments

Hartmut commented 2026-04-16 09:56:09 +02:00

Owner

Copy Link

Copy Source

Quelle

• xlsx: samples/CDP/checklists/nodejs.xlsx
• Parent-Control: CDP 35948516: NodeJS (#30)
• Epic: CDP Compliance Epic — alle Controls (#1)
• Zweck: Detail-Security-Checks zur Validierung der Accenture CDP Web Application Standards auf Code-/Architektur-Ebene.

Checkliste (4 Checks)

Phase: Build

Configuration

• Verify that the Node.js is being run as a non-root user.
  ✅ Container-User nextjs (uid=1001), non-root (Dockerfile.prod:87).
• Ensure use of 'ratelimiter flexible' package to prevent Brute force attacks.
  ✅ Äquivalent: eigenes Rate-Limit-Middleware (packages/api/src/middleware/rate-limit.ts) — 100/15min API, 5/15min Auth.
• Ensure use of 'Helmet' module to set security-related HTTP response headers.
  ✅ Äquivalent: Next.js Security-Headers via next.config.ts (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).
• Use csurf module for protecting against CSRF attacks
  ✅ Äquivalent: Auth.js CSRF-Token (authjs.csrf-token Cookie, siehe auth.config.ts:35) + SameSite=Strict auf allen Cookies.

## Quelle - **xlsx:** `samples/CDP/checklists/nodejs.xlsx` - **Parent-Control:** #30 - **Epic:** #1 - **Zweck:** Detail-Security-Checks zur Validierung der Accenture CDP Web Application Standards auf Code-/Architektur-Ebene. ## Checkliste (4 Checks) ### Phase: Build #### Configuration - [x] Verify that the Node.js is being run as a non-root user. ✅ *Container-User `nextjs` (uid=1001), non-root (`Dockerfile.prod:87`).* - [x] Ensure use of 'ratelimiter flexible' package to prevent Brute force attacks. ✅ *Äquivalent: eigenes Rate-Limit-Middleware (`packages/api/src/middleware/rate-limit.ts`) — 100/15min API, 5/15min Auth.* - [x] Ensure use of 'Helmet' module to set security-related HTTP response headers. ✅ *Äquivalent: Next.js Security-Headers via `next.config.ts` (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).* - [x] Use csurf module for protecting against CSRF attacks ✅ *Äquivalent: Auth.js CSRF-Token (`authjs.csrf-token` Cookie, siehe `auth.config.ts:35`) + SameSite=Strict auf allen Cookies.*

Hartmut added the cdpsecurity labels 2026-04-16 09:56:09 +02:00

Hartmut referenced this issue 2026-04-16 09:56:20 +02:00

CDP Compliance Epic — alle Controls #1

Hartmut referenced this issue 2026-04-16 10:02:29 +02:00

CDP 35948520: Web Application #25

Hartmut referenced this issue 2026-04-16 10:02:30 +02:00

CDP 35948516: NodeJS #30

Hartmut commented 2026-04-16 10:06:38 +02:00

Author

Owner

Copy Link

Copy Source

Review-Ergebnis

Detail-Analyse aller 4 Checks aus samples/CDP/checklists/nodejs.xlsx gegen CapaKraken-Code und docs/acn-security-compliance-status.md.

Status	Anzahl	Legende
✅ OK	4	Implementiert + Evidenz im Ticket-Body inline vermerkt
🟡 PARTIAL	0	Grundschutz vorhanden, formaler Restpunkt offen
🔴 GAP	0	Nicht implementiert — konkrete TODOs unten
⚪ N/A	0	Nicht anwendbar für CapaKraken
Total	4

---

Empfehlung:
Alle Checks abgedeckt. Ticket kann nach Owner-Review geschlossen werden.

## Review-Ergebnis Detail-Analyse aller 4 Checks aus `samples/CDP/checklists/nodejs.xlsx` gegen CapaKraken-Code und [`docs/acn-security-compliance-status.md`](../blob/main/docs/acn-security-compliance-status.md). | Status | Anzahl | Legende | |--------|--------|---------| | ✅ OK | 4 | Implementiert + Evidenz im Ticket-Body inline vermerkt | | 🟡 PARTIAL | 0 | Grundschutz vorhanden, formaler Restpunkt offen | | 🔴 GAP | 0 | Nicht implementiert — konkrete TODOs unten | | ⚪ N/A | 0 | Nicht anwendbar für CapaKraken | | **Total** | **4** | | --- **Empfehlung:** Alle Checks abgedeckt. Ticket kann nach Owner-Review geschlossen werden.

Hartmut commented 2026-04-16 10:07:33 +02:00

Author

Owner

Copy Link

Copy Source

Abschluss

Alle 4 Checks aus samples/CDP/checklists/nodejs.xlsx sind erfüllt:

• Non-root container user ✅
• Rate-Limiting (eigenes Middleware statt rate-limiter-flexible) ✅
• Security-Headers (next.config.ts statt Helmet) ✅
• CSRF-Schutz (Auth.js CSRF-Token + SameSite=Strict statt csurf) ✅

Ticket wird geschlossen.

## Abschluss Alle 4 Checks aus `samples/CDP/checklists/nodejs.xlsx` sind erfüllt: - Non-root container user ✅ - Rate-Limiting (eigenes Middleware statt `rate-limiter-flexible`) ✅ - Security-Headers (`next.config.ts` statt `Helmet`) ✅ - CSRF-Schutz (Auth.js CSRF-Token + `SameSite=Strict` statt `csurf`) ✅ Ticket wird geschlossen.

Hartmut closed this issue 2026-04-16 10:07:33 +02:00

Hartmut referenced this issue 2026-04-16 10:07:33 +02:00

CDP 35948516: NodeJS #30

Hartmut referenced this issue 2026-04-16 10:16:34 +02:00

CDP 35948520: Web Application #25

Hartmut referenced this issue 2026-04-16 10:20:06 +02:00

CDP 35948464: General #17

Hartmut referenced this issue 2026-04-16 10:20:07 +02:00

CDP Compliance Epic — alle Controls #1

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

security/password-policy-blacklist

security/audit-2026-04-17

pre-rename-backup

Labels

Clear labels

cdp

CDP (Client Data Protection) compliance

epic

Parent/umbrella ticket

not-applicable

Control does not apply to CapaKraken scope

security

Security / compliance work

No Label cdp security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hartmut

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#34