Security
Understand the security features and how to keep your backend secure.
Security is Non-Negotiable
Every Bend project comes with production-grade security features enabled by default. You don't have to be a security expert to build secure applications.
Built-in Security Features
Helmet - Security Headers
Helmet sets various HTTP headers to protect your app from common web vulnerabilities:
- •X-Frame-Options: Prevents clickjacking attacks
- •X-Content-Type-Options: Prevents MIME type sniffing
- •Strict-Transport-Security: Enforces HTTPS connections
- •X-XSS-Protection: Enables browser XSS filtering
CORS Configuration
Cross-Origin Resource Sharing is properly configured to control which domains can access your API.
Rate Limiting
Protect your API from brute force attacks and DDoS attempts with intelligent rate limiting.
HPP Protection
HTTP Parameter Pollution protection prevents attackers from polluting query parameters to cause unexpected behavior.
Common Vulnerabilities Prevented
SQL Injection
Prevented by ORM parameterized queries
XSS Attacks
Mitigated by security headers and input sanitization
CSRF
Protected with CSRF tokens for state-changing operations
Clickjacking
Prevented by X-Frame-Options header
Security Best Practices
Keep Dependencies Updated
Regularly update packages and run npm audit to check for vulnerabilities
Use Environment Variables
Never hardcode secrets. Store API keys, database credentials, and tokens in .env files
Implement Authentication
Use JWT tokens or session-based auth. Never store passwords in plain text - always hash with bcrypt
Validate All Input
Never trust user input. Validate and sanitize all data before processing
Enable HTTPS in Production
Always use HTTPS in production. Use Let's Encrypt for free SSL certificates
Monitor and Log
Set up logging and monitoring to detect suspicious activity and security incidents
Need More Security?
For enterprise applications, consider adding additional security layers like API gateways, WAF, and security audits.
View Documentation