In this post, I will share some points that you should keep in mind in coding.
eval get user input, it can open up your code for injection attacks and it is slow as it will run the interpreter/compiler.
To invoke strict mode, write
use strict; statement before any other statements;
You can opt-in to use a restricted variant and eliminate (Undeletable properties, Object literals must be unique, etc)
Your process can bring down the entire system, as it will have a credential to do anything if you use
sodo node app.js. Please set up an HTTP proxy/server (Nginx, Apache) to forward a request.
child_process.exec makes a call to execute
Please pay extra attention to
tmpfile, like handling uploading files. These files can easily eat up all your disk space.
By default, cookies can be read by JS on your same domain. This mean is dangerous in case of Cross-Site Scripting & any third-party JS library can read them. So, you should set
HttpOnly flag on a cookie.
helmetjs/helmet help secure Expres apps with various HTTP header, for example CSP, crossdomain, xframe, xssfilter and much more.
Example is as follows:
The above snippet can easily delete your user profile.
To prevent CSRF, you should add CSRF token to your form.(Express or other famous Node.js framework support the token.)
- When a GET request is being served check for the CSRF token and adding a hidden input with the CSRF token
- When the form is submitted, make sure that the value of the form and from the session are a match
There is some greate middlewares in Express and Koa, like them:
To protect your apps from a brute force attacks, you have to implement some kind of rate-limiting. Both Express and Koa has great middlewares for it.
In Express, you can easily create a cookie using expressjs/cookie-session or some other middlewares. These libraries prevent Cookie security risks.
var cookieSession = require("cookie-session");
To avoid the injection, you probably use the following modules:
Node Security Project is a great tool that can check your used modules for know vulnerabilities. The tool adds security checks right into your GitHub pull request flow.
Snyk is sililar to the Node Security Project, so please check it too.
The goad of Retire.js is to help deletet use of version with known vulnerabilities.
🖥 Recommended VPS Service
VULTR provides high performance cloud compute environment for you.
Vultr has 15 data-centers strategically placed around the globe, you can use a VPS with 512 MB memory for just $ 2.5 / month ($ 0.004 / hour).
In addition, Vultr is up to 4 times faster than the competition, so please check it => Check Benchmark Results!!