Security Tips for Node.js


In this post, I will share some points that you should keep in mind in coding.

🗻 No eval

If eval get user input, it can open up your code for injection attacks and it is slow as it will run the interpreter/compiler.

🐯 Declare use strict

To invoke strict mode, write use strict; statement before any other statements;

You can opt-in to use a restricted variant and eliminate (Undeletable properties, Object literals must be unique, etc)

'use strict';
// do something

😼 No sudo node app.js

Your process can bring down the entire system, as it will have a credential to do anything if you use sodo node app.js. Please set up an HTTP proxy/server (Nginx, Apache) to forward a request.

😸 Avoid command injection

Fo example, child_process.exec makes a call to execute /bin/sh.

😀 Pay attention tmpfile

Please pay extra attention to tmpfile, like handling uploading files. These files can easily eat up all your disk space.

🎳 Use HttpOnly cookie

By default, cookies can be read by JS on your same domain. This mean is dangerous in case of Cross-Site Scripting & any third-party JS library can read them. So, you should set HttpOnly flag on a cookie.

🚜 Use helmet in Express

helmetjs/helmet help secure Expres apps with various HTTP header, for example CSP, crossdomain, xframe, xssfilter and much more.

🎉 Prevent Cross-Site Request forgery

Example is as follows:

<body onload="document.form[0].submit()">
<form method="POST" action="http://example.com/user/delete">
<input type="hidden" name="id" value="12345">
</form>
</body>

The above snippet can easily delete your user profile.

To prevent CSRF, you should add CSRF token to your form.(Express or other famous Node.js framework support the token.)

  1. When a GET request is being served check for the CSRF token and adding a hidden input with the CSRF token
  2. When the form is submitted, make sure that the value of the form and from the session are a match

There is some greate middlewares in Express and Koa, like them:

🐮 Brute Force protection

To protect your apps from a brute force attacks, you have to implement some kind of rate-limiting. Both Express and Koa has great middlewares for it.

🍣 Cookie Management

In Express, you can easily create a cookie using expressjs/cookie-session or some other middlewares. These libraries prevent Cookie security risks.

var cookieSession = require('cookie-session')
var express = require('express')

var app = express()

app.use(cookieSession({
name: 'session',
keys: [/* secret keys */],

// Cookie Options
maxAge: 24 * 60 * 60 * 1000 // 24 hours
}))

🐝 Protect by SQL injection

To avoid the injection, you probably use the following modules:

👽 The Node Security Project

Node Security Project is a great tool that can check your used modules for know vulnerabilities. The tool adds security checks right into your GitHub pull request flow.

Snyk is sililar to the Node Security Project, so please check it too.

🚕 Use Retire.js

The goad of Retire.js is to help deletet use of version with known vulnerabilities.

🚌 Special Thanks

🖥 Recommended VPS Service

VULTR provides high performance cloud compute environment for you. Vultr has 15 data-centers strategically placed around the globe, you can use a VPS with 512 MB memory for just $ 2.5 / month ($ 0.004 / hour). In addition, Vultr is up to 4 times faster than the competition, so please check it => Check Benchmark Results!!