Documentation

Getting Started

Core Architecture

Performance & Security

Frontend Resources

Operations

Other Resources

Settings

Security

The Ellemment Stack implements comprehensive security measures to protect your application and users. Here's a detailed overview of the security features and their implementation.

Content Security Policy (CSP)

A strict Content Security Policy ensures only trusted resources load in your application.

Configuration

// server/index.ts
app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],
      styleSrc: ["'self'"],
      imgSrc: ["'self'", "data:", "https:"],
      connectSrc: ["'self'"],
      // Add additional directives as needed
    }
  }
}))

By default, CSP runs in report-only mode. Enable enforcement by removing reportOnly: true.

Network Security

Internal Network Architecture

When using Fly.io for hosting, instances communicate securely via internal network:

  1. Instance Communication

    • Inter-service connections
    • Private network access
    • Organization-level isolation

  2. Cache Updates

    // Internal request validation
if (!isInternalRequest(request)) {
  throw new Error('Unauthorized')
}

Cross-Site Scripting (XSS) Protection

Built-in React XSS protection through automatic escaping:

// Safe by default
const SafeComponent = () => <div>{userInput}</div>
// Requires explicit opt-in for HTML
const DangerousComponent = () => (
<div dangerouslySetInnerHTML={{ __html: sanitizedHtml }} />
)

Rate Limiting

Configurable rate limiting using express-rate-limit:

import rateLimit from 'express-rate-limit'
,[object Object],
app.use('/api/', limiter)

Honeypot Protection

Form spam prevention using honeypot fields:

import { Honeypot } from 'remix-utils/honeypot/react'
function ContactForm() {
return (
<Form>
<Honeypot />
{/* Regular form fields */}
</Form>
)
}

Authentication Security

  1. Password Storage

    • Secure hashing with bcrypt
    • Salt generation
    • Configurable work factors

  2. Session Management

    • Secure cookie settings
    • Session timeout
    • CSRF protection

  3. Two-Factor Authentication

    • Time-based OTP
    • Recovery codes
    • Device verification

API Security

Request Validation

const schema = z.object({
  username: z.string().min(3),
  email: z.string().email(),
})
function validateRequest(data: unknown) {
return schema.parse(data)
}

Response Headers

app.use((req, res, next) => {
  res.setHeader('X-Content-Type-Options', 'nosniff')
  res.setHeader('X-Frame-Options', 'DENY')
  res.setHeader('X-XSS-Protection', '1; mode=block')
  next()
})

Best Practices

Secret Management

  1. Use environment variables
  2. Implement secret rotation
  3. Audit access logs
  4. Encrypt sensitive data

Code Security

  1. Regular dependency updates
  2. Security linting rules
  3. Code review practices
  4. Automated scanning

Deployment Security

  1. HTTPS enforcement
  2. SSL/TLS configuration
  3. Network isolation
  4. Access controls

Monitoring

  1. Error tracking
  2. Security logging
  3. Incident response
  4. Performance monitoring

For more information about handling environment variables, see the secrets documentation. For deployment security configuration, refer to the deployment documentation.