nestjs-security
Implement JWT authentication, RBAC guards, Helmet hardening, and Argon2 hashing in NestJS. Use when adding auth strategies, role-based access control, CSRF protection, or security headers. (triggers: **/*.guard.ts, **/*.strategy.ts, **/auth/**, Passport, JWT, AuthGuard, CSRF, Helmet)
Best use case
nestjs-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement JWT authentication, RBAC guards, Helmet hardening, and Argon2 hashing in NestJS. Use when adding auth strategies, role-based access control, CSRF protection, or security headers. (triggers: **/*.guard.ts, **/*.strategy.ts, **/auth/**, Passport, JWT, AuthGuard, CSRF, Helmet)
Teams using nestjs-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/nestjs-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How nestjs-security Compares
| Feature / Agent | nestjs-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement JWT authentication, RBAC guards, Helmet hardening, and Argon2 hashing in NestJS. Use when adding auth strategies, role-based access control, CSRF protection, or security headers. (triggers: **/*.guard.ts, **/*.strategy.ts, **/auth/**, Passport, JWT, AuthGuard, CSRF, Helmet)
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# NestJS Security Standards
## **Priority: P0 (CRITICAL)**
## Workflow: Secure a NestJS Application
1. **Add Helmet** — `app.use(helmet())` in `main.ts` for HSTS, CSP headers.
2. **Configure JWT strategy** — Use `passport-jwt` with RS256; validate `iss` and `aud` claims.
3. **Bind global AuthGuard** — Register as `APP_GUARD`; use `@Public()` for open routes.
4. **Add throttling** — Enable `@nestjs/throttler` with Redis store for rate limiting.
5. **Hash with Argon2id** — Replace bcrypt with `argon2.hash(password, { type: argon2.argon2id })`.
6. **Verify** — Run `npm audit --prod` and test that unauthenticated requests return 401.
## Global Auth Guard Example
See [implementation examples](references/implementation.md)
## Argon2id Hashing Example
See [implementation examples](references/implementation.md)
## Authentication (JWT)
- **Strategy**: Use `@nestjs/passport` with `passport-jwt`.
- **Algorithm**: Enforce `RS256` (preferred) or `HS256`. **Reject `none`**.
- **Claims**: Validate `iss` and `aud`.
- **Tokens**: Short access (15m), Long httponly refresh (7d).
- **MFA**: Require 2FA for admin panels.
## Authorization (RBAC)
- **Deny by default**: Bind `AuthGuard` globally (APP_GUARD).
- **Bypass**: Create `@Public()` decorator for open routes.
- **Roles**: Use `Reflector.getAllAndOverride` for Method/Class merge.
## Cryptography
- **Hashing**: Use **Argon2id**, not Bcrypt. See [implementation](references/implementation.md).
- **Encryption**: Use **AES-256-GCM** with KMS rotation. See [implementation](references/implementation.md).
## Hardening
- **Helmet**: Mandatory. Enable HSTS, CSP.
- **CORS**: Explicit origins only. No `*`.
- **Throttling**: Use Redis-backed `@nestjs/throttler` in production.
- **CSRF**: Required for cookie-based auth. See [implementation](references/implementation.md).
## Data Protection
- **Sanitization**: Use `ClassSerializerInterceptor` + `@Exclude()`.
- **Validation**: `ValidationPipe({ whitelist: true })` to prevent mass assignment.
- **Audit**: Log mutations (Who, What, When). See [implementation](references/implementation.md).
## Secrets Management
- **CI/CD**: Run `npm audit --prod` in pipelines.
- **Runtime**: Inject via vault (AWS Secrets Manager / HashiCorp Vault), not `.env`.
## Anti-Patterns
- **No Shadow APIs**: Audit routes regularly; disable `/docs` in production.
- **No SSRF**: Allowlist domains for all outgoing HTTP requests.
- **No SQLi**: Use ORM; avoid raw `query()` with string concatenation.
- **No XSS**: Sanitize HTML input with `dompurify`.
## References
- [Implementation Examples](references/implementation.md)
- [common/security-standards](../../common/common-security-standards/SKILL.md)Related Skills
spring-boot-security
Configure Spring Security 6+ with Lambda DSL, JWT, and hardening rules. Use when configuring Spring Security 6+, OAuth2, JWT, or security hardening in Spring Boot. (triggers: **/*SecurityConfig.java, **/*Filter.java, security-filter-chain, lambda-dsl, csrf, cors)
react-security
Prevent XSS, secure auth flows, and harden React client-side applications. Use when preventing XSS, securing auth flows, or auditing third-party dependencies in React. (triggers: **/*.tsx, **/*.jsx, dangerouslySetInnerHTML, token, auth, xss)
react-native-security
Secure storage, network traffic, and deep links in React Native mobile apps. Use when implementing secure storage, certificate pinning, or deep link validation in React Native. (triggers: **/*.tsx, **/*.ts, security, keychain, secure-storage, deep-link, certificate-pinning)
php-security
PHP security standards for database access, password handling, and input validation. Use when securing PHP apps against SQL injection, XSS, or weak password storage. (triggers: **/*.php, pdo, password_hash, htmlentities, filter_var)
nextjs-security
Secure Next.js App Router with middleware auth, Server Action validation, CSP headers, and taint APIs. Use when adding authentication middleware, validating Server Action inputs with Zod, or preventing secret leakage to client bundles. (triggers: app/**/actions.ts, middleware.ts, action, boundary, sanitize, auth, jose)
nestjs-transport
Configure gRPC, RabbitMQ, and monorepo contract patterns for NestJS microservices. Use when setting up gRPC service-to-service calls, RabbitMQ event-driven messaging, shared contract libraries, or microservice exception handling in NestJS. (triggers: main.ts, **/*.controller.ts, Transport.GRPC, Transport.RMQ, MicroserviceOptions)
nestjs-testing
Write Unit and E2E tests with Jest, mocking strategies, and database isolation in NestJS. Use when writing NestJS unit tests, E2E tests with supertest, or mock providers. (triggers: **/*.spec.ts, test/**/*.e2e-spec.ts, Test.createTestingModule, supertest, jest, beforeEach)
nestjs-security-isolation
Enforce multi-tenant isolation and PostgreSQL Row Level Security in NestJS. Use when enforcing tenant isolation or PostgreSQL RLS in NestJS multi-tenant apps. (triggers: src/modules/**, SECURITY.md, src/migrations/**, RLS, Row Level Security, childId, isolation, access policy)
nestjs-search
Integrate Elasticsearch and implement search index Sync patterns in NestJS. Use when integrating Elasticsearch or implementing search index sync in NestJS. (triggers: **/*.service.ts, **/search/**, Elasticsearch, CQRS, Synchronization)
nestjs-scheduling
Implement distributed cron jobs with Redis-based locking and BullMQ offloading in NestJS. Use when adding @Cron scheduled tasks, preventing duplicate runs across pods, or delegating heavy work to queue workers. (triggers: **/*.service.ts, @Cron, CronExpression, ScheduleModule)
nestjs-real-time
Implement WebSocket gateways with Socket.io and Server-Sent Events endpoints in NestJS. Use when building chat features, live feeds, or choosing between WebSocket and SSE for real-time communication. (triggers: **/*.gateway.ts, **/*.controller.ts, WebSocketGateway, SubscribeMessage, Sse, Socket.io)
nestjs-performance
Optimize NestJS throughput with Fastify adapter, singleton scope enforcement, compression, and query projections. Use when switching to Fastify, diagnosing request-scoped bottlenecks, or profiling API overhead. (triggers: main.ts, FastifyAdapter, compression, SINGLETON, REQUEST scope)