Remember! Node. js security development skills

Remember! Node. js security development skills

Internet security incidents are isolated, and users may be attacked by attackers every moment. As software developers, it is to maximize application security. This article provides security development suggestions for the Node. js language.

The following is a translation:

There is no doubt that Node. js has become more mature. Despite this, developers still lack a lot of security guidelines. In this article, I will share some key points about Node. js security. I hope you can keep them in mind.

1. Avoid using Eval

Eval is not the only function to be avoided. In the background, the following expressions can use eval:

• setInterval(String, 2)
• setTimeout(String, 2)
• new Function(String)

Why disable eval? Because it

Will open the code and cause injection attacks, and reduce the running speed.

2. Please use Strict mode)

In this case, you can use a restricted JavaScript variable, which can eliminate some hidden errors and throw these errors.

3. Undeletable attributes

'use strict';    delete Object.prototype; // TypeError  

4. Object Declaration must be unique

'use strict';    var obj = {        a: 1,       a: 2   };   // syntax error 

5. Prohibits

var obj = { x: 17 };    with (obj) // !!! syntax error    {    }  

To obtain a complete list of these hidden errors, you can access MDN.

6. Test

Needless to say, test, test, and multi-point test ~

 

Of course, it is not just a unit test, but a direct stamp test pyramid.

7. Say goodbye to sudo node app. js

I have seen many people running Node apps with Super User Permissions. Why? Because they want applications to listen to port 80 or port 443.

This is wrong. Be careful with an error/bug process to reduce the entire system because it already has valid creden。 to do anything.

Instead, you should set an HTTP server/proxy to convert requests, such as nginx and Apache.

8. Avoid Command Injection

What is the problem with the code below?

child_process.exec('ls', function (err, data) {        console.log(data);  });  

Child_process.exec calls to execute/bin/sh, so this is a bash injector, not a program starter.

When the content entered by the user is passed to this method, a problem occurs-either a \ or $ (). Attackers may inject a new command.

Developers can use child_process.exe cFile to solve such problems. Access LiftSecurity to view how to handle command injection.

9. Temporary Files

Developers should pay special attention when creating files, such as processing uploaded files. These files can easily eat up all your disk space.

The solution is to use Streams.

10. Ensure Web Application Security

This is not just for Node, but for how to ensure the security of your Web application.

11. Cross-Site Scripting reflection

This happens only when attackers inject code into the HTTP response. When an application returns invalid input to the client (mostly written in JavaScript), the application is vulnerable to this type of attack. Attackers can steal cookies, execute the clipboard, and modify the page itself.

Example:

<a href="http://example.com/index.php?user=<script">http://example.com/index.php?user=<script</a>>alert(123)</script>  

If the user query string is sent back to the client without verification and inserted into the DOM, it will be executed.

How to prevent:

Prohibit the insertion of untrusted data into the DOM; HTML escape before insertion.

Click the link to view