MasterController
Security
Production-grade defenses, on by default.
MasterController initializes a layered set of protections at startup. This page summarizes what’s active and how to configure each layer for production.
Secure by default
Security headers, CSP, CSRF, rate limiting, session hardening, and prototype-pollution protection are initialized automatically — you tune them, you don’t bolt them on.
Secure headers & HSTS#
Sensible security headers are set automatically. Enable HSTS in production once you’re on HTTPS:
javascript
master.enableHSTS({ maxAge: 31536000, includeSubDomains: true, preload: true });CSRF protection#
CSRF tokens are session-bound and single-use. Generate one for a form, and validate it on submit:
javascript
// in an action
const token = this.generateCSRFToken();
// later, on a mutating request
if (!this.validateCSRF()) return this.returnError(403, 'Invalid CSRF token');Rate limiting#
Throttle abusive clients per action or globally:
javascript
if (!this.checkRateLimit()) return this.returnError(429, 'Too many requests');Input validation & sanitization#
javascript
this.validateRequest({ email: 'required|email', age: 'integer' });
const clean = this.sanitizeInput(obj.params.formData.bio);
const safe = this.escapeHTML(userText);Trusted proxies & client IP#
Behind a load balancer, declare your proxies so X-Forwarded-* headers are honored only from them (defends against IP/scheme spoofing):
javascript
master.trustedProxies = ['10.0.0.0/8'];Prototype-pollution protection#
Dangerous keys (__proto__, constructor, prototype) are blocked from parsed input automatically, preventing a common class of object-injection attacks.
HTTPS redirect#
server.js
// Always pass allowed hosts to prevent open-redirect attacks
master.startHttpToHttpsRedirect(80, '0.0.0.0', [
'yourdomain.com', 'www.yourdomain.com',
]); Production checklist
Use HTTPS · enable HSTS · set
NODE_ENV=production · configure CORS with an explicit origin list · enable rate limiting · keep secrets in env vars · run behind a reverse proxy with a process manager. Test with SSL Labs and securityheaders.com.