Digital product security is the elephant in the room. Everyone talks about it, but not all take it seriously. At Fireart Studio, we would like to reveal all the importance of app security for you. That’s why we have compiled here a short checklist of the best Node.js security practices.
Why Node.js? Node.js is one of the leading JavaScript runtimes that are capturing market share gradually. At its core, Node.js is secure, however, when you install third-party packages, the way you configure, install and deploy may need some extra efforts to make a web application even more secure and protected from online attacks.
Configuration Management
Security HTTP Headers
There are some HTTP headers you need to set on our site. They include:
1) Strict-Transport-Security enforces secure (HTTP over SSL/TLS) connections to the server
2) X-XSS-Protection enables the Cross-site scripting (XSS) filter built into most recent web browsers
3) X-Frame-Options gives clickjacking protection
4) Content-Security-Policy protects from a large number of attacks, including Cross-site scripting and other cross-site injections
5) X-Content-Type-Options helps browsers avoid MIME-sniffing a response away from the declared content-type.
Many experienced web developers recommend using Herokuapp, it is a great tool for checking if your website has all the needed headers.
Sensitive Data on the Client Side
When developing a front-end app, always make sure that you have not made sensitive data, such as secret APIs in your source code, readable for everyone. Unfortunately, there are not any automation tools that can help you check it. That is why many app developers advise you very traditional methods, like using pull requests and reviewing code on a regular basis.
Authentication
Brute Force Protection
Brute forcing is the process of enumerating all the candidates possible and investigating if each of them meets the requirements of a problem statement. If it goes about web apps, for example, a login endpoint can be a perfect candidate.
To secure your web application from such a kind of attack, you should tue rate-limiting. Our team recommends applying a rate limiter package from NPM Js.
Surely, you may transform it into middleware and simply insert it in any app. Both options Koa and Express have great middleware.
You can restrict the number of user’s attempts to login in a given time window. It will help you eliminate the risk of a sudden brute force attack. You can also utilize Hydra to check how your services work in these scenarios.
Session Management
The secure use of cookies should not be underestimated, especially in dynamic web applications that have to keep state across a stateless protocol, like HTTP.
Cookie Flags
Here you can find a list of attributes that should be established for every cookie as well as their meanings.
- Secure – this attribute tells a browser to send a cookie only in case if a request is sent via HTTPS
- HttpOnly – this parameter is commonly used to avoid attacks related to cross-site scripting since it doesn’t give an opportunity to get access to a cookie via Javascript.
Cookie Scope
- Domain – this attribute is usually used to compare against the domain of the server in which the link has been requested. The path parameter will be revised next if the domain matches or in case if it is a sub-domain.
- Path – alongside the domain, the URL path, which is relevant for a cookie, can be specified too. If a path matches a domain, then a cookie is sent in the request.
- Expires – this parameter is utilized to establish permanent cookies because the cookie does not expire until the moment of the expiration of a set date.
You can easily generate this cookie in Node.js by applying a cookie package. However, it is quite a low level, that is why you will, maybe, utilize a wrapper, such as a cookie-session.
CSRF
The abbreviation CSRF means a Cross-Site Request Forgery. In its essence, it is an attack that triggers the logged-in user’s unwanted actions in a web application. These threats aim only at state-changing requests. They are targeted at data leakage because the hacker does not have an opportunity to see the response to the forged request.
To avoid the risk of similar attacks, you can apply the CSRF module. There are some wrappers for different frameworks too. For example, there is the CSRF module: an express middleware for CSRF protection.
Error Handling
Error Codes, Stack Traces
In various bug scenarios, an app may exposure sensitive details about the underlying infrastructure, like: X-Powered-By:Express.
Usually, stack traces do not recognize themselves as vulnerabilities, but they frequently uncover the information that can be alluring for a hacker. It is not commonly helpful to provide debugging information as a result of operations that produce errors. It is better always to log them, but do not show them to the users.
Conclusion
Our web development company has been happy to share with you this shortlist of security practices that will help you avoid many mistakes and never go wrong with Node.js development. There mare many more actionable strategies and tactics, we have listed only a few of them, however, we hope they will be helpful for you and empower you to create more secure applications. Want to know more about the framework and how you can implement it into your projects? Drop us a line to order Node.js consultancy services, and we’ll see what we can do.
