. Protect the Express app

There is no doubt that node. js is becoming more mature, though developers still lack a lot of security guidance. In this article, I will share some of the security Essentials of node. js for everyone, and I hope that you can remember it in your heart.

1. Avoid using eval

Eval is not the only function that needs to be avoided, and in the background, the following expressions can use eval:

SetInterval (String, 2)
SetTimeout (String, 2)
New Function (String)

Why is it forbidden to use eval? because it

The code is opened to cause an injection attack and slows down the operation.

2. Please use the harsh mode (Strict modes)

In this case, you can use a restricted JavaScript variable that can eliminate some implicit errors and throw them out.

3.Undeletable Properties

' Use strict ';
Delete Object.prototype; TypeError
4. Object declaration must be unique
' Use strict ';
var obj = {
A:1,
A:2
};
Syntax error
5.Prohibits with
var obj = {X:17};
With (OBJ)//!!! Syntax error
{

}

To get a complete list of these hidden errors, you can access the MDN.

6. Testing

Needless to say, testing, testing, multi-point testing ~

Of course, not just unit tests, straight-poke test pyramids.

7. Say goodbye to sudo node app.js

I see a lot of people running the node APP with superuser privileges, why? Because they want the application to be able to listen on 80 or 443 ports.

This practice is wrong. Be careful with a mistake the/bug process can reduce the entire system because it already has legitimate credentials to do anything.

Instead, you should set up an HTTP server/proxy to convert requests, which can be nginx, Apache, and so on.

8. Avoid command injection

See what's wrong with this piece of code?

Child_process.exec (' ls ', function (err, data) {
Console.log (data);
});

The child_process.exec call goes to execute/bin/sh, so this is a bash syringe, not a program launcher.

When user input is passed into this method, a problem is created-either a \ or a $ (), and the attacker is likely to inject a new command.

Developers can use Child_process.execfile to solve such problems. Visit liftsecurity to see how to handle command injection.

9. Temporary files

Developers should pay special attention when creating files, such as handling upload files. These files are easy to eat all your disk space.

The workaround is to use streams.

10. Ensure Web Application Security

This is not just about node--, but about how to secure your Web application.

11. Cross-site script reflection

This happens when the attacker injects code into the HTTP response. Applications are vulnerable to this type of attack when they return invalid input to the client (most of them are JavaScript-based). Attackers can steal cookies, execute the Clipboard, and modify the page itself.

Specific examples:

<a href= "http://example.com/index.php?user=
<script ">http://example.com/index.php?user=<script</a>>alert (2881064151) </script>

If the user query string is sent back to the client without validation and inserted into the DOM, it executes.

How to prevent:

Suppresses the insertion of untrusted data into the DOM, and HTML escape before inserting.

Click on the link to see more information on cross-site scripting reflection and resolution.

12. Stop Cookie Theft

By default, JavaScript can read cookies in the same domain, which is very dangerous in cross-site scripting attacks. Furthermore, any third-party JavaScript libraries can read them.

var cookies = Document.cookie.split ('; ‘);

How to prevent:

The developer can set the HttpOnly tag in the cookie so that JavaScript will not be able to access the cookie.

13. Content Security Policy (CSP)

CSP (Content security Policy) is an added layer of security that helps detect and mitigate certain types of attacks, including cross-site scripting (XSS) and data injection attacks.

Use the Content-security-policy method in the HTTP header to start the CSP.

Example

Content-security-policy:default-src ' self ' *.mydomain.com

This allows the content to come from a trusted domain or subdomain.

Click to see more about the CSP sample.

14. Cross-site request forgery (CSRF)

CSRF (Cross-site Request forgery) is an attack method that compelling an end user to perform a non-intended operation on a currently logged-on Web application.

Example:

<body onload= "Document.forms[0].submit ()" >
<form method= "POST" action= "Http://yoursite.com/user/delete" >
<input type= "hidden" name= "id" value= "123555." >
</form>
</body>

The consequence of executing the above code is to easily delete the user configuration file.

How to prevent:

To stop CSRF, you should implement the Sync token pattern (Synchronizer token pattern), and fortunately, the node community has done it for you. Long story short, let's look at how it works:

When a GET request is checked by the service as a CSRF token-if it does not exist, create one, and when the user enters the display, make sure to add an invisible CSRF token value, and when the form is sent, make sure that the value is from the form and that it matches the session.

Let's go

Developers should take action to create a security adventure workshop to guide real-world application development.

15. Protect Express App: Helmet

Helmet is a series of middleware that helps enhance the security of JavaScript Web applications such as node Express/connect. Security features include:

Csp
Crossdomain
Xframe
Xssfilter
Wait a minute

16. Using the tool

NPM shrinkwrap: This command can lock all dependencies for a package and create a Npm-shrinkwrap.json file. For more details, you can visit npm. Retire.js:retire.js is a command-line scanner that helps you find the vulnerabilities in your app's dependent libraries.

. Protect Express Applications