2.7.3.3 Application Layer Security

• Secure Coding Practices

• Input validation with express-validator or Joi to prevent injections (SQL, JS).

• Use parameterized queries or ORM methods (Sequelize) to avoid injection vulnerabilities.

• Output encoding for any user-generated content displayed on the frontend.

• Password Management

• Hash with bcrypt/Argon2 (10+ rounds).

• Enforce minimum complexity for user-chosen passwords.

• Strict “no plain-text passwords” policy, with checks for known compromised passwords if possible.

• Encryption

• At Rest: PostgreSQL encryption (AES-256, if using AWS RDS).

• In Transit: TLS/HTTPS for all endpoints; WebSockets run over wss://.

• Potential end-to-end encryption for sensitive chat channels if required by advanced compliance or user demands.