Secure your NodeJs Applications

Setting HTTP headers with Helmet.Helmet injects the following headers into our request, with appropriate defaults:

2. XSS(Cross-site Scripting)

XSS attacks are client-side injection attacks where malicious scripts are injected into websites. XSS vulnerabilities are very dangerous, as they can compromise trusted websites. To prevent cross-site scripting attack we can use xss-clean module. Please check this module https://www.npmjs.com/package/xss-clean

3. HTTP Parameter Pollution attacks

If an application accepts input in any form, you need to take necessary precautions to ensure that malicious inputs cannot exploit your application.

Parameter pollution is a type of injection attack where the HTTP parameters of a web application’s HTTP endpoints are injected with specific malicious input. HTTP parameter pollution can be used to expose internal data or even cause a Denial of Service (DoS) attack, where an attacker tries to interrupt a resource and render it inaccessible by the resource’s intended users.To prevent this attack we can use HPP module. Please check the module in details https://www.npmjs.com/package/hpp

4. Cross-Site Request Forgery (CSRF)

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other. To prevent this attack we can use csurf module. Please check the module in details https://www.npmjs.com/package/csurf

5. Scanning for known vulnerabilities in Node.js packages using npm audit

Built-in to the npm command-line tool is a command, npm audit, for reporting known vulnerabilities in the dependencies of your application. Every third-party package used by your application is a potential security hole.It’s not just that a query against the application might trigger buggy code, whether in your code or third-party packages. In some cases, packages that explicitly cause harm have been added to the npm registry.Therefore the security audits of packages in the npm registry are extremely helpful to every Node.js developer.We can try to automatically fix the vulnerabilities by using the npm audit fix command. This will attempt to update any dependencies to fixed versions

6. Using Good Cookie Practices

app.use(session({
store: sessionStore,
secret: sessionSecret,
resave: true,
saveUninitialized: true,
name: sessionCookieName,
secure: true,
maxAge: 2 * 60 * 60 * 1000 // 2 hours
}));

The secure attribute in above code requires that cookies be sent ONLY over HTTPS connections. This ensures the cookie data is encrypted by HTTPS encryption.Please check this module https://www.npmjs.com/package/express-session

7. Preventing JSON pollution

Applications that accept JSON as user input are the most susceptible to these attacks. In the most severe cases, it’s possible to crash a server by just supplying additional values in JSON input. This can make the server vulnerable to DoS attacks via JSON pollution.The key to preventing JSON pollution attacks is to validate all JSON input. This can be done manually or by defining a schema for your JSON to validate against.Please check this module for JSON validation https://www.npmjs.com/package/ajv

8.Using Express Mongo Sanitize

If you are using Mongo DB with express framework you can use this module to sanitize user data.https://www.npmjs.com/package/express-mongo-sanitize

9. CORS & Rate Limit

If you are exposing your application through API, please make sure that you have enabled CORS and have given permission to specific URLs to access your data also you can implement rate limit so that there would be limit set of request in some particular time. Please refer below modules

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Credential Stuffing: What Is It And How To Prevent It?

8 Tips for Safe Web Browsing and Accessing the Internet

Big Data: Privacy

How to connect Lambdas in one AWS account to a MongoDB Atlas Cluster in another AWS account…

{UPDATE} いきものバトルタワー Hack Free Resources Generator

Delivering Zero Trust in a DevSecOps model

Polkalokr Partners with Raze Network

Profiling Tools: Opensnoop Trace Analysis

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Deepak Rai

Deepak Rai

More from Medium

Better NodeJS logging

Multi docker Nodejs app setup

WebSocket Node.js No Library (Vanilla JS)

Creating a Web Server and Logging the requests in Node.js