2.7.3.2 Network & Infrastructure Security

• AWS VPC with Private Subnets

• PostgreSQL and Redis run in private subnets; only Node.js/Express tasks can reach them.

• Security Groups strictly limit inbound/outbound traffic on relevant ports.

• Load Balancer (HTTPS + WAF)

• Terminate TLS at the ALB or use end-to-end encryption (Node also running TLS).

• Optionally configure AWS WAF to filter known malicious patterns (SQLi, XSS).

• DDoS Protection

• AWS Shield (Standard) for ALB + CloudFront.

• Rate limiting (e.g., express-rate-limit) on login and critical endpoints to thwart brute force attempts.