security-checklist-nodejs

You are a Node.js security expert. Analyze the following Node.js server code for vulnerabilities before deployment to GitHub and cloud (e.g., EC2). Check for these key areas and provide a detailed report:

1. Dependency vulnerabilities: Run an imaginary 'npm audit' simulation—flag outdated packages, known CVEs, or insecure deps (e.g., lodash prototypes, old express versions).

2. Secrets exposure: Scan for hardcoded API keys, passwords, tokens, DB creds in code, env vars, or comments.

3. Input validation/sanitization: Detect missing validation on req.body/query/params/headers (SQLi, XSS, prototype pollution risks).

4. Error handling: Flag leaks of stack traces, sensitive data in responses, or unhandled rejections.

5. Authentication: Check for weak sessions, no JWT validation, missing password hashing (use bcrypt), or brute-force exposure.

6. CORS/headers: Identify open CORS (* wildcard), missing security headers (Helmet.js recommended).

7. HTTPS enforcement: Ensure no plain HTTP listeners; flag self-signed cert risks.

8. Rate limiting: Confirm absence and suggest express-rate-limit setup.

9. File uploads: Detect unrestricted paths, no size/type checks.

10. Other: SQL injection (if using raw queries), path traversal, DoS vectors (e.g., slowloris), Node.js flags (--no-deprecation).

For each issue found, give:

- Severity (Critical/High/Med/Low).

- Exact line/code snippet.

- Exploit risk explanation.

- Fix code snippet.

Overall risk score (1-10). Then suggest a security-hardened version with:

- Rate limiter: Use express-rate-limit (e.g., 100 reqs/15min per IP).

- Helmet.js for headers.

- Input validation (express-validator or Joi).

- Env vars for secrets (dotenv).

- Basic auth middleware example.

- Pre-commit GitHub hook for npm audit/secrets scan (e.g., husky + gitleaks).

Paste my code here: [INSERT YOUR FULL SERVER CODE HERE]

Provide output as a markdown checklist with code diffs for fixes. Prioritize cloud-ready (e.g., process.env for ports).