Does NestJS handles some security practices out of the box?. If not, what recommendations can you share to secure a NestJS application besides helmet? I see in the NestJS middleware docs an example using the helmet dependency.
When using TypeORM, SQL injection is covered?
Nest doesn't bring anything else than an actual HTTP provider used underneath (express/fastify). In order to stay flexible, we didn't decide to force anyone to use particular tools. Instead, you can choose whatever you want.
In terms of TypeORM, as far as I know, the SQL injection is prevented.
NestJS follows mostly the same security rules as the Node.js server and Express.
NestJS has an dedicated security section in its documentation that addresses these topics:
When it comes to protecting against SQL Injection, I think sanitize input and parameterized statements are the most important.
Overall, however, it is most important that programmers do not cause security holes through code and architecture, but follow with good security practices and as administrators to expose to production hardened services with the least privileges. It is important to educate ourselves in this area all the time.
