VAPT Readiness

Likely VAPT findings for this stack and how we plan to mitigate them. Use this as a pre-flight checklist before handing builds to external testers.

Common findings & mitigations

  • Outdated components (frontend/back): Angular kept latest; React frozen but CVE-scanned. Use npm audit, OWASP Dependency-Check, and Snyk/OSS tools.
  • HTTP security headers: Enable HSTS, CSP, X-Frame-Options, Referrer-Policy via nginx; verify with curl -I and Mozilla Observatory.
  • TLS config: Strong ciphers on nginx, TLS1.2/1.3 only, OCSP stapling; renewals automated via Certbot.
  • Auth/session issues: Enforce OIDC/OAuth2, secure cookies (HttpOnly/SameSite), short-lived tokens, and refresh rotation.
  • Input validation/XSS: Strict template sanitization in Angular; avoid bypass; server-side validation for all inputs.
  • API authorization: Method-level Spring Security checks; test with negative scenarios; least-privileged service accounts.
  • Secrets handling: No secrets in repos; use env/secret manager; restrict IAM roles for DB and message brokers.
  • File upload paths: Validate mimetype/size; store outside webroot; virus-scan; signed URLs for downloads.
  • Logging & PII: No sensitive data in logs; enable structured logging with trace IDs; mask tokens.
  • Rate limiting/DoS: nginx rate limits for public endpoints; circuit breakers/timeouts in services.
  • Database hardening: TLS to MySQL, no wildcard grants, rotate creds, apply least privilege per module schema.

What to run before VAPT

  • DAST: OWASP ZAP baseline against staging; validate CSP reports and auth flows.
  • SAST: Sonar/SpotBugs/ESLint security rules; dependency scans for Maven and npm.
  • Container checks: Trivy/Grype on images (nginx, app); ensure non-root users and minimal base layers.
  • Infra-as-Code review: nginx config, rate limits, and CSP checked into repo; Terraform/Ansible lint if used.
  • Secrets review: scan with git secrets/Trufflehog; verify no .env files in images.