Script Valley
JWT & Session Auth: Deep Dive
Security Hardening and Production Auth/Assessment

Practice & Assessment

Test your understanding of Security Hardening and Production Auth

Multiple Choice Questions

6
1

Why are JWT Bearer tokens in the Authorization header immune to CSRF attacks?

2

A login endpoint returns 'Invalid password' for wrong passwords and 'User not found' for unknown emails. What attack does this enable?

3

What is the risk of enabling HSTS with a one-year maxAge on a domain before testing?

4

Which of the following should NEVER appear in application log output?

5

Why should bcrypt cost factor (salt rounds) be set to 12 or higher for new projects in 2024?

6

Per-IP rate limiting on login can be bypassed. What additional layer makes it significantly more resilient?

Coding Challenges

1
1

Login Endpoint with Rate Limiting and Brute Force Protection

Build a POST /auth/login endpoint with two layers of brute force protection: express-rate-limit middleware limiting to 10 requests per 15-minute window per IP (return 429 on exceed), and an in-memory per-account failed attempt counter (using a Map with email as key) that locks out an account after 5 consecutive failures for 15 minutes (return 429 with lockout message). On successful login, reset the per-account counter. Use a hardcoded user array with bcrypt-hashed passwords. Return identical error messages for both 'wrong password' and 'user not found' cases. Log each attempt with event type, timestamp, and whether it succeeded. Input: POST with { email, password }. Output: { token } on success, { error } on failure. Estimated time: 25-30 minutes.

Medium

Mini Project

1

Production-Hardened Auth API

Build a complete, production-hardened Express auth API incorporating all module concepts. Requirements: helmet.js with HSTS and CSP configured, login with both per-IP rate limiting (express-rate-limit) and per-account lockout (Redis Map, 5 attempts / 15 min), bcrypt at cost 12, JWT access tokens (15 min) with HS256 and explicit algorithms whitelist, refresh tokens in HttpOnly Secure SameSite=Strict cookies, CSRF protection via Origin header validation on state-mutating routes, structured pino logging for all auth events (never log tokens or passwords), session regeneration for cookie-based flows, uniform error messages that prevent enumeration, and a GET /auth/security-report endpoint (admin only) returning counts of failed logins and rate limit triggers from the last hour. Document every security decision with inline comments.

Hard