# Security Notes

This document records the security measures in place for the restaurant digital platform, covering XSS protection, SQL injection prevention, and input validation. It corresponds to **Requirement 12.4** (input sanitization / XSS prevention).

---

## 1. XSS Protection — React JSX Auto-Escaping

React's JSX syntax automatically escapes all dynamic values before inserting them into the DOM. Any string rendered inside JSX (e.g., `{item.name}`, `{order.customerName}`) is HTML-encoded by React at render time, preventing script injection.

**Verification:** A full search of the frontend source tree (`frontend/app/`, `frontend/components/`, `frontend/hooks/`, `frontend/lib/`, `frontend/store/`) found **zero** usages of `dangerouslySetInnerHTML`. Because this escape hatch is never used, there is no surface area for raw HTML injection.

**Conclusion:** DOMPurify is **not required**. React's default JSX escaping provides complete XSS protection for this codebase.

---

## 2. SQL Injection Prevention — Sequelize ORM Parameterized Queries

All database interactions go through [Sequelize ORM](https://sequelize.org/). Sequelize uses parameterized (prepared) statements for every query it generates, meaning user-supplied values are always passed as bound parameters rather than interpolated into SQL strings.

**Verification:** A search of `backend/src/` found no raw SQL string construction (no `db.query(\`SELECT … ${userInput}\`` patterns). All data access is performed via Sequelize model methods (`findAll`, `findByPk`, `create`, `update`, `destroy`).

**Conclusion:** SQL injection is prevented at the ORM layer. No additional escaping is needed.

---

## 3. Input Validation — Joi Schemas on All API Inputs

Every mutating API endpoint is protected by the `validate` middleware (`backend/src/middleware/validate.js`), which runs incoming request bodies through a Joi schema before the controller is reached. Invalid or unexpected fields are rejected with an HTTP 400 response before any business logic or database operation executes.

This satisfies **Requirement 10.4** (validate all incoming data against defined schemas before persisting to the Database).

---

## 4. Additional Security Headers

HTTP security headers are applied globally via the `securityHeaders` middleware (`backend/src/middleware/securityHeaders.js`), which configures [Helmet](https://helmetjs.github.io/) with:

| Header | Value |
|---|---|
| `Content-Security-Policy` | Restricts resource origins to `'self'` (plus `unsafe-inline` for styles and `https:` for images) |
| `X-Content-Type-Options` | `nosniff` |
| `X-Frame-Options` | `DENY` |

This satisfies **Requirement 12.3**.

---

## Summary

| Threat | Mitigation | Status |
|---|---|---|
| Cross-Site Scripting (XSS) | React JSX auto-escaping; no `dangerouslySetInnerHTML` used | ✅ Protected |
| SQL Injection | Sequelize ORM parameterized queries; no raw SQL | ✅ Protected |
| Malformed / malicious input | Joi schema validation on all API endpoints | ✅ Protected |
| Clickjacking / MIME sniffing | Helmet security headers (CSP, X-Frame-Options, X-Content-Type-Options) | ✅ Protected |
| DOMPurify installation | Not needed — `dangerouslySetInnerHTML` is not used anywhere | ✅ N/A |

---

## Verification Checklist

The following checks were performed against the codebase to confirm each security measure is active (Requirements 12.1, 12.2, 12.3, 12.5).

| # | Check | File(s) | Result |
|---|---|---|---|
| 1 | **Sequelize parameterized queries (Req 12.1)** | `backend/src/models/`, `backend/src/services/` | ✅ All DB access uses Sequelize model methods (`findOne`, `findAll`, `create`, `update`, `destroy`). No raw SQL string interpolation found. |
| 2 | **bcrypt cost factor ≥ 12 (Req 12.2)** | `backend/src/services/authService.js`, `backend/src/config/env.js` | ✅ `hashPassword()` reads `env.BCRYPT_COST`, which defaults to `12` via `parseInt(process.env.BCRYPT_COST, 10) \|\| 12`. |
| 3 | **Helmet security headers on all responses (Req 12.3)** | `backend/src/middleware/securityHeaders.js`, `backend/src/app.js` | ✅ `app.use(securityHeaders)` is the first middleware registered in `createApp()`, so every response receives CSP, `X-Content-Type-Options: nosniff`, and `X-Frame-Options: DENY`. |
| 4 | **Rate limiting on `/api/v1/auth/login` (Req 12.5)** | `backend/src/middleware/rateLimiter.js`, `backend/src/routes/v1/auth.js` | ✅ `authRateLimiter` (10 req / 60 s per IP, standard `RateLimit-*` headers) is applied directly to the `POST /login` route handler. |