A comprehensive secure web-based task management application demonstrating enterprise-level security practices, OWASP compliance, and automated CI/CD pipeline integration.
- Client & Server-side Validation: Comprehensive validation using Zod schemas
- SQL Injection Prevention: Parameterized queries and ORM usage
- XSS Protection: Input sanitization and output encoding
- CSRF Protection: Token-based CSRF protection
- Secure Password Hashing: bcrypt with salt rounds
- JWT Token Management: Secure token generation and validation
- Session Timeout: Automatic logout and session expiration
- Multi-factor Authentication Ready: Extensible auth system
- Security Headers: CSP, HSTS, X-Frame-Options, etc.
- HTTPS Enforcement: Secure transport layer
- Rate Limiting: API endpoint protection
- Error Handling: Secure error messages without information disclosure
- Frontend: Next.js 14, TypeScript, Tailwind CSS
- Backend: Next.js API Routes, Server Actions
- Database: Supabase (PostgreSQL)
- Authentication: Supabase Auth
- Validation: Zod
- UI Components: shadcn/ui
- Security: Custom middleware, security headers
- Security Scanning: Bandit, ESLint Security, npm audit
- Code Quality: TypeScript checking, ESLint, Prettier
- Dependency Scanning: Snyk vulnerability detection
- Automated Testing: Unit and integration tests
- Deployment: Automated deployment to Vercel
- OWASP ZAP: Dynamic security testing
- Bandit: Python security linter
- ESLint Security Plugin: JavaScript security rules
- Snyk: Dependency vulnerability scanning
- OWASP ZAP: Dynamic application security testing
- Node.js 18+
- npm or yarn
- Supabase account
- GitHub account (for CI/CD)
-
Clone the repository
git clone https://github.com/MR-PROFESSOR-790/SecureTasker cd securetasker -
Install dependencies
npm install
-
Environment Setup Create a
.env.localfile:NEXT_PUBLIC_SUPABASE_URL=your_supabase_url NEXT_PUBLIC_SUPABASE_ANON_KEY=your_supabase_anon_key
-
Database Setup
- Run the SQL scripts in the
scripts/folder in your Supabase SQL editor - This creates the tasks table with proper RLS policies
- Run the SQL scripts in the
-
Run the development server
npm run dev
-
Access the application Open http://localhost:3000 in your browser
-
Vercel Deployment
npm run build vercel --prod
-
Environment Variables Set the following in your Vercel dashboard:
NEXT_PUBLIC_SUPABASE_URLNEXT_PUBLIC_SUPABASE_ANON_KEY
const taskSchema = z.object({
title: z.string().min(1).max(100),
description: z.string().max(500).optional(),
priority: z.enum(['low', 'medium', 'high']),
status: z.enum(['pending', 'in_progress', 'completed'])
})const securityHeaders = {
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY',
'Content-Security-Policy': 'default-src \'self\'; ...',
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
}CREATE POLICY "Users can only see their own tasks" ON tasks
FOR SELECT USING (auth.uid() = user_id);- Bandit: Python security linter results
- ESLint Security: JavaScript security rule violations
- npm audit: Dependency vulnerability scan
- OWASP ZAP: Automated security testing
- Manual Penetration Testing: Security assessment results
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β Client Side β β Server Side β β Database β
β β β β β β
β β’ Input Valid. ββββΆβ β’ Auth MiddlewareβββββΆβ β’ RLS Policies β
β β’ XSS Protectionβ β β’ Rate Limiting β β β’ Encrypted Dataβ
β β’ CSRF Tokens β β β’ Security Headersβ β β’ Audit Logs β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
βββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββββ
β Commit ββββΆ| Security ββββΆβ Build βββββΆβ Deploy β
β β β Scanning β β & Test β β β
β β’ Code Push β β β’ Bandit β β β’ TypeScriptβ β β’ Vercel β
β β’ PR Review β β β’ ESLint β β β’ Unit Testsβ β β’ OWASP ZAP β
βββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββββ
# Run security linting
npm run lint:security
# Run dependency audit
npm audit
# Run Bandit scan
bandit -r . -f json# Run all tests
npm test
# Run with coverage
npm run test:coverage- Authentication attempts logging
- Failed login rate limiting
- Suspicious activity detection
- Error tracking and alerting
- Response time tracking
- Database query optimization
- Resource usage monitoring
// middleware.ts
export const config = {
matcher: [
'/((?!_next/static|_next/image|favicon.ico).*)',
],
}-- Enable RLS on all tables
ALTER TABLE tasks ENABLE ROW LEVEL SECURITY;
-- Create security policies
CREATE POLICY "secure_access" ON tasks
USING (auth.uid() = user_id);-
Authentication Security
- Strong password requirements
- Secure session management
- JWT token validation
- Automatic logout
-
Data Protection
- Input validation and sanitization
- Output encoding
- SQL injection prevention
- XSS protection
-
Infrastructure Security
- HTTPS enforcement
- Security headers
- CSRF protection
- Rate limiting
-
Monitoring & Logging
- Security event logging
- Error tracking
- Performance monitoring
- Audit trails
- Detection: Automated monitoring and alerting
- Assessment: Security team evaluation
- Containment: Immediate threat mitigation
- Recovery: System restoration and validation
- Lessons Learned: Post-incident analysis
For security issues or questions:
- Create an issue in the GitHub repository
- Contact the security team at [email protected]
- Review the security policy in SECURITY.md
This project is licensed under the miT License
- OWASP for security guidelines
- Supabase for secure backend infrastructure
- Next.js team for security-first framework
- Security community for best Solutions
SecureTasker demonstrates enterprise-level security practices for modern web applications. Built with security-first principles and continuous monitoring.