Node.js is getting more and more mature,no doubt – despite this, not many security guidelines are out there. As more applications are being build on node, securing them is becoming increasingly important. Node provides you better ways to avoid all the security issues that make up your application more reliable and secure.

Node.JS community is working on fixing the security issues as they arise. However, the final result depends on the developer community following the security guidelines.

In this article, I will discus what are the best practices you should do to make your Node application secure





Remove ‘X-powered-by’

Security refers to your code authentication. There is no need to mention the platform you are using. Sending bits of data to the client in response to any web request is a common mistake to provide basic knowledge to the entry level attack.

To save bandwidth in your Express application, there are two ways to disable or hide this type of information.

Just to ask Express to not add it like: var app=express(); app.disable(‘X-powered-by’); Make middleware like: app.use(function(req, res, next){ res.removeHeader(‘X-powered-by’); next(); });





Don’t Use Deprecated Version of Express/Node

It is recommended to use the latest version of Node or Express. Many of the security issues are covered in new release with time. Like for example, Express version 2.x and 3.x are deprecated, deprecated means the functions available in this version are no longer maintain in the next releases. So, use the latest version of Node and, if you are using the previous version then migrate to the latest one.





Upgrade SSL to TLS

If you are using SSL (Secure Socket Layer) initially, then try to upgrade it to TLS (Transport Layer Security). Basically, it is the next step to SSL security measures. TLS ensures you to transmit sensitive data, encrypted at both ends. In this way, data is encrypted before sending it over the receiver. There are many handy tools available to get your TLS certificate like let’s Encrypt is a free and open source tool under Certificate Authority (CA).





Don’t Use Component with Known Vulnerabilities

Keep an eye on the security vulnerabilities by not using the component with known vulnerabilities. While adopting these options, make sure that your dependencies are secure.

One better tool for handling it is Retire.js. As it scans, it lets you know where you have a dependency that has a known vulnerability. $ npm i -g retire $ retire project It will highlight all the known vulnerable components in your web app. It mentions not only the node modules but any front-end libraries also. Another way is to check thoroughly by Node Security Project that gives you continuous security monitoring by just installing it on your node. $ npm install –global nsp $ cd your-fantastic-app $ nsp check A third way of making your app secure is by ‘using Helmet’. Helmet can help protect your app from some well-known web vulnerabilities by setting security related HTTP headers appropriately. $ npm install –save helmet Then use this line of code into your app.js file var helmet = require(‘helmet’); app.use(helmet()); Helmet will save you from any issues like data validation, sql injection, XSS and command injection.

Session Management

The importance of making the secure cookies is an important part of the session management. Especially when we are developing a dynamic web application. This will be helpful in maintaining state in a stateless protocol like HTTP. There are two main modules of cookies are built into Express 3.x version, the modules are;

express-session (saves session id not the session data on the server) cookie-session (rather than a session key, it serialises the entire data in cookies)

The main difference between these two is the way they save data on the server.





Use Cookie Securely

To make cookies secure, make sure

Set Cookies Security Options Appropriately To make cookies secure, make sure secure: that ensures cookie to be sent over HTTPS. httpOnly: helps against cross-site scripting attacks.It also makes sure not to send cookie over any client JavaScript domain. domain: that takes domain of the cookie or URL that is being requested. path: If domain match then indicates the path of cookie and sent the cookie in the request. expires: Set expiration date.





Like , for example , set the options as below cookie : { secure : true , httpOnly : true , domain : ‘example . com’ , path : ‘foo / bar’ , expires : expiryDate }









Don’t use default session cookies name Using the default session cookies name will make it open for attacker , So always use generic session cookies name . Like , if you are using ‘express - session’ module , use it as var session = require ( ‘express - session’ ) ; app . set ( ‘trust proxy’ , 1 ) ; // trust first proxy app . use ( session ( { secret : ‘s3Cur3’ , name : ‘sessionId’ , } ) ) ;









Don’t pollute Global Space

There are the functions like eval() that open up your code for injection attack and make your Node application insecure. Just make sure to not use eval() or its friends like setTimeOut(code,2) or setInterval(code,2) methods that uses eval() at the background.





Use Strict Mode

Strict mode is a way to opt into a restricted variant of JavaScript. It intentionally has a different meaning than normal code. It eliminates some JavaScript errors and also fixes the error reported by JavaScript engine. It let’s throw all the errors and declare variable properly. When you are using “strict mode” by your chrome browser,

Your eval() is no more insecure now. No access to caller and arguments.





Use the strict code into your JS engine as “use strict” ; var sm = 0 ; eval ( “sm = 123 ” ) ; console . log ( sm ) ; //It will show 123 on the console









Static Code Analysis

Do static code analysis in your application, as it is the most crucial thing you should do for you application security. It will catch many problems at an early stage. For this,

Commit hooks in (D)VCSes. Use JSHint, JSLint or ESLint. Create a policy for static code. Update and recheck the policy regularly.





Attach Listener for Error Handling





Always handle error object in callback . Attach listeners to errors , events and welcome unhandled exceptions . For Example , Var http = require ( “http” ) ; http . get ( “https : / / nodejs . org / ” , function ( res ) { res . on ( “data” , function ( chunk ) { do _something_with_chunk ; } ) ; res . on ( “error” , function ( err ) { } ) ;









Don’t Log Sensitive Information

When you are going to deploy your frontend application, never expose API credentials or any sensitive information in your source code. Because that information is readable to anyone. To mitigate this type of issue and to make sure that data will not accidentally expos.

Make use of pull request. Check out or regular code review.





Don’t Run Node Process as Root

To run the node application on port 80 or 443, people often run Node application with superuser rights. Because of using sudo node app.js, your system will wholly effect. So, it is recommended to set up an HTTP server/proxy to forward the request. This request can be from any web server like Nginx and Apache.





Use CSRF Module

Cross-site Request Forgery is an attack that forces the user to execute unwanted actions on his web application. To mitigate this kind of attack add csrf module in your code. For this, Install csrf over your npm using: $ npm install csrf Moreover then, use it where you want like: var Tokens = require(‘csrf’)

Conclusion

These ways are highly influenced and maintained by OWASP. If you want to make your Node application secure, then follow the ways above mentioned exploits.

Vizteck Solutions always makes sure all the compliances in our app development phase. Our goal is to deliver more secure and valuable code to clients. For this, our developers always take care of all the security risks in any solution we are delivering.





Our client projects, beakun.com and serviceguru.com are the deliverables that are blazingly fast, secure and can scale very easily with users because of the MEAN stack and AWS cloud.

#nodejs #Nodejssecurityissues #nodejssecurity #nodejssecuritybestpractices #nodejssecuritymiddleware