Secure your NodeJs Applications
- Helmet for adding headers
Setting HTTP headers with Helmet.Helmet injects the following headers into our request, with appropriate defaults:
2. XSS(Cross-site Scripting)
XSS attacks are client-side injection attacks where malicious scripts are injected into websites. XSS vulnerabilities are very dangerous, as they can compromise trusted websites. To prevent cross-site scripting attack we can use xss-clean module. Please check this module https://www.npmjs.com/package/xss-clean
3. HTTP Parameter Pollution attacks
If an application accepts input in any form, you need to take necessary precautions to ensure that malicious inputs cannot exploit your application.
Parameter pollution is a type of injection attack where the HTTP parameters of a web application’s HTTP endpoints are injected with specific malicious input. HTTP parameter pollution can be used to expose internal data or even cause a Denial of Service (DoS) attack, where an attacker tries to interrupt a resource and render it inaccessible by the resource’s intended users.To prevent this attack we can use HPP module. Please check the module in details https://www.npmjs.com/package/hpp
4. Cross-Site Request Forgery (CSRF)
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other. To prevent this attack we can use csurf module. Please check the module in details https://www.npmjs.com/package/csurf
5. Scanning for known vulnerabilities in Node.js packages using npm audit
Built-in to the npm command-line tool is a command, npm audit, for reporting known vulnerabilities in the dependencies of your application. Every third-party package used by your application is a potential security hole.It’s not just that a query against the application might trigger buggy code, whether in your code or third-party packages. In some cases, packages that explicitly cause harm have been added to the npm registry.Therefore the security audits of packages in the npm registry are extremely helpful to every Node.js developer.We can try to automatically fix the vulnerabilities by using the npm audit fix command. This will attempt to update any dependencies to fixed versions
6. Using Good Cookie Practices
app.use(session({
store: sessionStore,
secret: sessionSecret,
resave: true,
saveUninitialized: true,
name: sessionCookieName,
secure: true,
maxAge: 2 * 60 * 60 * 1000 // 2 hours
}));
The secure attribute in above code requires that cookies be sent ONLY over HTTPS connections. This ensures the cookie data is encrypted by HTTPS encryption.Please check this module https://www.npmjs.com/package/express-session
7. Preventing JSON pollution
Applications that accept JSON as user input are the most susceptible to these attacks. In the most severe cases, it’s possible to crash a server by just supplying additional values in JSON input. This can make the server vulnerable to DoS attacks via JSON pollution.The key to preventing JSON pollution attacks is to validate all JSON input. This can be done manually or by defining a schema for your JSON to validate against.Please check this module for JSON validation https://www.npmjs.com/package/ajv
8.Using Express Mongo Sanitize
If you are using Mongo DB with express framework you can use this module to sanitize user data.https://www.npmjs.com/package/express-mongo-sanitize
9. CORS & Rate Limit
If you are exposing your application through API, please make sure that you have enabled CORS and have given permission to specific URLs to access your data also you can implement rate limit so that there would be limit set of request in some particular time. Please refer below modules
