👽 title: “Security Tips for Node.js”
In this post, I will share some points that you should keep in mind in coding.
eval get user input, it can open up your code for injection attacks and it is slow as it will run the interpreter/compiler.
To invoke strict mode, write
use strict; statement before any other statements;
You can opt-in to use a restricted variant and eliminate (Undeletable properties, Object literals must be unique, etc)
sudo node app.js
Your process can bring down the entire system, as it will have a credential to do anything if you use
sodo node app.js. Please set up an HTTP proxy/server (Nginx, Apache) to forward a request.
🏈 Avoid command injection
child_process.exec makes a call to execute
🐞 Pay attention
Please pay extra attention to
tmpfile, like handling uploading files. These files can easily eat up all your disk space.
By default, cookies can be read by JS on your same domain. This mean is dangerous in case of Cross-Site Scripting & any third-party JS library can read them. So, you should set
HttpOnly flag on a cookie.
🐰 Use helmet in Express
helmetjs/helmet help secure Expres apps with various HTTP header, for example CSP, crossdomain, xframe, xssfilter and much more.
🐡 Prevent Cross-Site Request forgery
Example is as follows:
The above snippet can easily delete your user profile.
To prevent CSRF, you should add CSRF token to your form.(Express or other famous Node.js framework support the token.)
- When a GET request is being served check for the CSRF token and adding a hidden input with the CSRF token
- When the form is submitted, make sure that the value of the form and from the session are a match
There is some greate middlewares in Express and Koa, like them:
🍣 Brute Force protection
To protect your apps from a brute force attacks, you have to implement some kind of rate-limiting. Both Express and Koa has great middlewares for it.
- Express: Express Rate Limit
- Koa: koa-ratelimit
🗽 Cookie Management
In Express, you can easily create a cookie using expressjs/cookie-session or some other middlewares. These libraries prevent Cookie security risks.
var cookieSession = require("cookie-session");
🤔 Protect by SQL injection
To avoid the injection, you probably use the following modules:
- PostgreSQL: node-postgres
- MySQL: mysql
🚜 The Node Security Project
Node Security Project is a great tool that can check your used modules for know vulnerabilities. The tool adds security checks right into your GitHub pull request flow.
Snyk is sililar to the Node Security Project, so please check it too.
🚕 Use Retire.js
The goad of Retire.js is to help deletet use of version with known vulnerabilities.
🍮 Special Thanks
🖥 Recommended VPS Service
VULTR provides high performance cloud compute environment for you.
Vultr has 15 data-centers strategically placed around the globe, you can use a VPS with 512 MB memory for just $ 2.5 / month ($ 0.004 / hour).
In addition, Vultr is up to 4 times faster than the competition, so please check it => Check Benchmark Results!!