Security Headers for Password Reset

1 min read Web Security Fundamentals

Security Headers for Password Reset

// Secure password reset implementation
app.post('/auth/reset-password', async (req, res) => {
    const { token, newPassword } = req.body;
    
    // Security headers for password reset
    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, private');
    res.setHeader('Pragma', 'no-cache');
    res.setHeader('X-Content-Type-Options', 'nosniff');
    res.setHeader('X-Frame-Options', 'DENY');
    res.setHeader('Content-Security-Policy', "default-src 'self'; frame-ancestors 'none'");
    
    try {
        // Verify reset token
        const decoded = jwt.verify(token, process.env.RESET_SECRET);
        
        if (decoded.type !== 'password-reset') {
            throw new Error('Invalid token type');
        }
        
        // Update password
        await updateUserPassword(decoded.userId, newPassword);
        
        // Invalidate all existing sessions
        await invalidateAllUserSessions(decoded.userId);
        
        // Clear any auth cookies
        res.setHeader('Clear-Site-Data', '"cookies", "storage"');
        
        // Set security headers for response
        res.setHeader('X-Password-Reset', 'success');
        res.json({ message: 'Password reset successful' });
        
    } catch (error) {
        res.status(400).json({ error: 'Invalid or expired reset token' });
    }
});