Production security checklist for ModularAuth-Kit.
| Mistake |
Risk |
Fix |
session.secure: false in prod |
Session hijacking over HTTP |
Set true + use HTTPS |
Identical SESSION_SECRET across envs |
Cross-env session replay |
Unique secret per environment |
| No rate limiting |
Brute force attacks |
Enable rate limiter |
| Exposing internal errors |
Information leakage |
Use production error handler |
| No CSRF protection |
Cross-site request forgery |
Enable CSRF middleware |
| OWASP Risk |
Mitigation |
| A01: Broken Access Control |
Session-based auth, requireAuth middleware |
| A02: Cryptographic Failures |
argon2id hashing, token hashing, signed cookies |
| A03: Injection |
Zod validation, parameterized Mongoose queries |
| A04: Insecure Design |
Repository pattern, service layer, config validation |
| A05: Security Misconfiguration |
Helmet.js, secure defaults, config validation |
| A07: Auth Failures |
Account lockout, session rotation, enumeration protection |