Node.js Application Security

Node.js Application Security

In this article, we will focus on some of the best practices of Nodejs, and how to make your app much more secured. Nodejs is the popular server-side scripting language and its one of the widely used in the javascript world. Perhaps you might be using it in your projects.

Nodejs is the popular server-side scripting language and its one of the widely used in the javascript world. Perhaps you might be using it in your projects.

In this article, we will focus on some of the best practices of Nodejs, and how to make your app much more secured.

Here’s the quick rundown with some express/node js modules:

Crypto

Schneier’s Law stated:

Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break. We might not know exactly what your secret algorithm is, and the fact that you yourself cannot break the cypher secret code is irrelevant. You should focus on generating or using the algorithm in such a way that others can’t break it.

An attacker may use common tools like substitution cyphers or polyalphabetic cyphers to recover the plaintext from the ciphertext. Do not use your own crypto, use standard one instead.

Bcrypt is one of the widely used and it has been around for quite some time and remains unbroken till date. It is a password hashing function.

Keep your dependencies up to date

Keeping third-party libraries up-to-date and keeping the track of it is quite important, as these libraries may risk your entire application.

HTTP response headers

helmet — It is an express module to set secure HTTP headers.

To install helmet-

 npm install --save helmet
const express = require('express'); 
const  helmet  = require('helmet');   
const  app     = express();
app.use(helmet());

helmet.js

Use cookies securely

Install Express session: express-session stores session data on the server and id in the cookie itself, and not the session data

npm install --save express-session

var express = require('express');
var session = require('express-session');
app.use(session({secret: 'secret_'}));

session.js

const expressSession = require('cookie-session')

   var expiryDate = new Date(Date.now() + 10 * 24 * 60 * 60 * 1000); // 10 days

    const session = expressSession({
      secret: sessionSecret,
      resave: false,
      saveUninitialized: true,
      cookie: {
        secureProxy: true,
        httpOnly: true,
        domain: 'example.com',
        expires: expiryDate
      }
    })

    app.use(session)

cookie-session.js

Cross-Origin Resource Sharing

The CORS mechanism describes new HTTP headers which provide browsers with a way to request remote URLs only when they have permission.

npm install cors --save
var cors = require('cors');


var app = express();

app.use(cors());

app.use(function(req, res, next) {
   res.header("Access-Control-Allow-Origin", "*");
   res.header('Access-Control-Allow-Methods', 'DELETE, PUT, GET, POST');
   res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
   next();
});

cors.js

Cross-Site Request Forgery

Install csurf:

npm install csurf
const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const bodyParser = require('body-parser');
const express = require('express');

const csrfProtection = csrf({ cookie: true });
const parseForm = bodyParser.urlencoded({ extended: false });

const app = express();

// parse cookies
// we need this because "cookie" is true in csrfProtection
app.use(cookieParser());

app.get('/form', csrfProtection, function (req, res) {
  // pass the csrfToken to the view
  res.render('send', { csrfToken: req.csrfToken() })
})

app.post('/process', parseForm, csrfProtection, function (req, res) {
  res.send('data is being processed')
})

csrf.js

Sending the token value back to the view

<form action="/process" method="POST">
  <input type="hidden" name="_csrf" value="{{csrfToken}}">
    <button type="submit">Submit</button>
</form>

handlebar_view.js

Error Handling

Recommendations in the node.js community are that you pass errors around in callbacks (Because errors only occur for asynchronous operations) as the first argument

Using async/await you can now get asynchronous control flow as you want:

async function email(address) {
  try {
    // Do something asynchronous that may throw...
    await sendEmail({ to: address, from: '[email protected]', subject: 'Hello' });
  } catch(err) {
    if (err instanceof SomeCustomError) {
      elegantlyHandleError(err)
    } else {
      throw err
    } 
  }
}

error-handling.js

Nodejs API Authentication of JWT Tokens

REST(Representational state transfer) is the widely used web architecture as it is flexible and simple to use. Generating jwt tokens for authenticating users to obtain access to resources is one of the secured approaches.

This will enable the use of a token instead of username and password for accessing each resource

Tools to check the security risk of open-source dependencies

Sqreen** — **Itprotects your application from cross-site scripting, SQL injection, MongoDB injection, checks vulnerabilities against all broken files and 3rd party libraries, etc…

Snyk** — **It helps you find and fix known vulnerabilities in your dependencies

Acunetix — It helps in the vulnerability of web applications and frameworks like Angular, React, Vue, Ember.

OWASP provides the basis for testing the web application. To know more about it and more about web security, kindly visit -

If you liked it please leave some claps to show your support. Also, leave your responses below and reach out to me if you face any issues.

30s ad

Learn MEAN Stack By Building A ToDo App

ChatBots: Messenger ChatBot with API.AI and Node.JS

Master the MEAN Stack - Learn By Example

Build a Real Time web app in node.js , Angular.js, mongoDB

Supreme NodeJS Course - For Beginners

node-js

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

How to Hire Node.js Developers And How Much Does It Cost?

A Guide to Hire Node.js Developers who can help you create fast and efficient web applications. Also, know how much does it cost to hire Node.js Developers.

Hire Node.JS Developers | Skenix Infotech

We are providing robust Node.JS Development Services with expert Node.js Developers. Get affordable Node.JS Web Development services from Skenix Infotech.

Hands on with Node.Js Streams | Examples & Approach

The practical implications of having Streams in Node.js are vast. Nodejs Streams are a great way to handle data chunks and uncomplicate development.

Node.js Performance: Node.js vs. Io.js

You may already be aware that Raygun uses Node.JS for our API nodes that receive your precious crash reporting data (we also do node.js crash reporting if you’re interested). We’ve peaked in the past at more than 110,000 requests per second coming...

Node.js Live | Node.js Docker Tutorial | Dockerizing Node.js App|Node.js Training|Edureka

🔥 Node.js Certification Training: https://www.edureka.co/nodejs-certification-training This Edureka video on 'Node.js Docker Tutorial' will help you in learn...