- ✅ Helmet.js - HTTP headers xavfsizligi
- ✅ Rate Limiting - Brute force hujumlardan himoya
- Umumiy: 100 so'rov / 15 daqiqa
- Auth endpoints: 5 urinish / 15 daqiqa
- ✅ Bcrypt - Parollarni xavfsiz hash qilish (12 rounds)
- ✅ JWT Authentication - Token-based autentifikatsiya
- ✅ Input Validation - express-validator orqali
- ✅ CORS - Cross-Origin Resource Sharing sozlamalari
- ✅ SQL Injection Protection - Prepared statements (mysql2)
- ✅ Password Requirements:
- Kamida 8 ta belgi
- Kamida 1 ta katta harf
- Kamida 1 ta kichik harf
- Kamida 1 ta raqam
- Kamida 1 ta maxsus belgi (@$!%*?&)
- ✅ Client-side Validation - Formalarni validatsiya qilish
- ✅ XSS Protection - React avtomatik escape qiladi
- ✅ Error Handling - Xatolarni to'g'ri boshqarish
-
HTTPS ni yoqish
// nginx yoki reverse proxy orqali SSL/TLS sozlash // Let's Encrypt bilan bepul sertifikat
-
HttpOnly Cookies uchun token saqlash
localStorageo'rnigahttpOnlycookie ishlatish- XSS hujumlaridan himoya
-
CSRF Protection qo'shish
npm install csurf
-
Environment Variables xavfsizligi
.envfaylini git'ga qo'shmaslik- Production'da xavfsiz JWT_SECRET ishlatish
- Database parollarini xavfsiz saqlash
-
Email Verification
- Foydalanuvchi ro'yxatdan o'tganda email tasdiqlash
- Password reset funksiyasini qo'shish
-
Logging va Monitoring
- Winston yoki Bunyan orqali loglarni saqlash
- Xavfsiz hodisalarni kuzatish
- Error tracking (Sentry)
-
Two-Factor Authentication (2FA)
- Google Authenticator yoki SMS kod
-
Account Lockout
- 5 marta noto'g'ri parol kiritgandan keyin hisobni bloklash
-
Session Management
- Token'larni database'da saqlash
- Logout qilganda token'ni o'chirish
- Token rotation strategiyasi
-
SQL Injection Tests
- Penetration testing
- Automated security scans
-
DDoS Protection
- Cloudflare yoki boshqa CDN ishlatish
- Advanced rate limiting
-
Database Security
- Database backup strategiyasi
- Read-only user'lar yaratish
- IP whitelist
-
API Versioning
- API version management
- Deprecation strategiyasi
- HTTPS sozlangan
- Environment variables xavfsiz
- Rate limiting yoniq
- Helmet.js yoniq
- CORS to'g'ri sozlangan
- Logging tizimi o'rnatilgan
- Error monitoring (Sentry)
- Database backups avtomatik
- SSL sertifikat yangilanishi sozlangan
- Token'lar httpOnly cookies'da
- CSRF protection yoniq
- Email verification ishlamoqda
- Password reset funksiyasi
- Rate limiting production uchun sozlangan
- Monitoring dashboard (Grafana/Prometheus)
- Security headers tekshirilgan (securityheaders.com)
- Penetration testing o'tkazilgan
# Database (xavfsiz parol ishlatish!)
DB_HOST=your_production_host
DB_USER=your_production_user
DB_PASSWORD=very_strong_password_here
DB_NAME=andisha_production
DB_PORT=3306
# JWT (256-bit random key!)
JWT_SECRET=your_super_secure_random_256_bit_key_here_change_this
# Server
PORT=3001
NODE_ENV=production
# CORS (faqat ishonchli domenlar)
CORS_ORIGIN=https://your-production-domain.com
# Rate Limiting
RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX_REQUESTS=100
AUTH_RATE_LIMIT_MAX=5
# Email (production uchun)
EMAIL_SERVICE=gmail
EMAIL_USER=your_email@gmail.com
EMAIL_PASSWORD=your_app_password# Dependencies'larni tekshirish
npm audit
# Security vulnerabilities scan
npm audit fix
# Production build test
npm run build
npm startAgar xavfsizlik muammosini topsangiz:
- OMMAGA aytmang
- Loyiha egasiga bevosita xabar bering
- Muammo hal qilinguncha kuting
ESLATMA: Hozirgi holatda bu loyiha development uchun tayyor, lekin yuqoridagi barcha choralarni amalga oshirmasdan production'ga chiqarish XAVFLI!