| name | nestjs-security |
| description | Implement JWT authentication, RBAC guards, Helmet hardening, and Argon2 hashing in NestJS. Use when adding auth strategies, role-based access control, CSRF protection, or security headers. |
| license | MIT |
| version | 1.0.0 |
| author | [Filippo De Silva](https://github.com/FilippoDeSilva) |
| tags | ["nestjs","security","jwt","rbac","helmet","argon2","passport","csrf"] |
| metadata | {"triggers":{"files":["**/*.guard.ts","**/*.strategy.ts","**/auth/**"],"keywords":["Passport","JWT","AuthGuard","CSRF","Helmet"]}} |
NestJS Security Standards
Priority: P0 (CRITICAL)
Workflow: Secure NestJS Application
- Add Helmet —
app.use(helmet()) in main.ts for HSTS, CSP headers.
- Configure JWT strategy — Use
passport-jwt with RS256; validate iss and aud claims.
- Bind global AuthGuard — Register as
APP_GUARD; use @Public() for open routes.
- Add throttling — Enable
@nestjs/throttler with Redis store for rate limiting.
- Hash with Argon2id — Replace bcrypt with
argon2.hash(password, { type: argon2.argon2id }).
- Verify — Run
npm audit --prod and test that unauthenticated requests return 401.
Global Auth Guard Example
See implementation examples
Argon2id Hashing Example
See implementation examples
Authentication (JWT)
- Strategy: Use
@nestjs/passport with passport-jwt.
- Algorithm: Enforce
RS256 (preferred) or HS256. Reject none.
- Claims: Validate
iss and aud.
- Tokens: Short access (15m), Long httponly refresh (7d).
- MFA: Require 2FA for admin panels.
Authorization (RBAC)
- Deny by default: Bind
AuthGuard globally (APP_GUARD).
- Bypass: Create
@Public() decorator for open routes.
- Roles: Use
Reflector.getAllAndOverride for Method/Class merge.
Cryptography
Hardening
- Helmet: Mandatory. Enable HSTS, CSP.
- CORS: Explicit origins only. No
*.
- Throttling: Use Redis-backed
@nestjs/throttler in production.
- CSRF: Required for cookie-based auth. See implementation.
Data Protection
- Sanitization: Use
ClassSerializerInterceptor + @Exclude().
- Validation:
ValidationPipe({ whitelist: true }) to prevent mass assignment.
- Audit: Log mutations (Who, What, When). See implementation.
Secrets Management
- CI/CD: Run
npm audit --prod in pipelines.
- Runtime: Inject via vault (AWS Secrets Manager / HashiCorp Vault), not
.env.
Anti-Patterns
- No Shadow APIs: Audit routes regularly; disable
/docs in production.
- No SSRF: Allowlist domains for all outgoing HTTP requests.
- No SQLi: Use ORM; avoid raw
query() with string concatenation.
- No XSS: Sanitize HTML input with
dompurify.
References