Last Updated on November 27, 2020
Today, I have brought you a collection from my pandora box. Node.js is the most favorite app framework of my friends, and I cannot wait but help my friends with these node.js application security best practices for their Node.js applications.
By far now, there are 200,214 websites, and 93,087 unique domains are using Node.js, and it is the most popular technology for web app development in the USA. Famous brands like Netflix, eBay, Reddit, LinkedIn, Tumblr, PayPal, and more are using Node.js. Hence, there is no point in asking, is Node.js secure? But a question on how to secure your Node.js application is worth considering.
There are these Top 7 Reasons to choose Node.js for Web Application Developmentin 2020. And before you march ahead with building your next enterprise application with Node.js, hop on to know how you can protect your Node.js application by using these Node.js error handling best practices. Let’s discuss how to secure your Node.js application.
For the start-ups that are already using Node.js in their web application, even you can implement the following node application security tips to keep your app free from attacks. In this blog post, I have also covered the topOWASP (Open Web Security Project) injection threatsso that you come across Node.js security vulnerabilities. Let me get you through Node.js security tips for the website.
Top 24 Node.js Application Security Tips
1. Use Linter Security
While you are developing a Node.js application, you may have invoked a child process, might have used eval or imported a module with a non-string literal. By following such unintentional steps, your project might be facing Node.js vulnerabilities.
We advise you to use linting, which ensures that you eliminate potentially dangerous patterns in your code. You can use the linter plugins like eslint-plugin-security to catch threats and vulnerabilities while you are coding your node.js application.Your Node.js application security is utmost essential and hence archive this practice of using the above-mentioned plugin.
2. Apply rare limiting on the middleware
Your application is under the threat of a DOS attack where authenticate users may not get the requested service or get degraded service. To overcome such a situation, you should implement rare limiting using middleware for smaller and less-critical apps.
For comparatively larger apps, you can use rate-limiter-flexible package, Nginx, cloud firewalls, or cloud load balancers. This is one of the most-useful Node js best practices.
3. Secret Management
In an attempt to secure node js applications, You must not save your secrets in configuration files or source code. Unknowingly you may keep private repositories publicly, where you unveil all your secrets. This way, anyone can access your APIs, database, services, and more.
Thus, you must use Kubernetes/ Docker secrets, Vault products, or environment variables. In this manner, your secrets are safe, encrypted, and managed.
Pro Tip: Use pre-commits and push hooks to avoid accidental secrets.
4. Preventing Query Injections
Many developers use JS strings or string concatenations to insert values into queries. However, this Nodejs security best practices makes your data unvalidated, and your app highly vulnerable to SQL/NoSQL injection attacks.
Sequelize, KnexKnex, and mongoosemongoose, these node.js libraries have in-built protection against such SQL injection threats. To prevent these malicious attacks, you must always use Object-Relational Mapping/ Object Document Mapper ORM/ODM or database libraries that support indexed parametrized queries.
5. Evade DOS attacks by setting the system crash
When the Node process cannot handle some errors, the entire process crashes. Even a few nodejs best practices suggest exiting the process despite catching the mistake. All this struggle because the attackers get an easy spot that is vulnerable by the input, and crashes the system with repeated faulty inputs.
Though there is no solution to this adversity, you can validate the input and spare the process of crashing on invalid user input. You can wrap all the incoming routes with a catch and ensure that your system doesn’t crash on error requests. By doing so, you ensure your node js web application security.
6. Regulate the HTTP headers
Use secure headers to combat cross-site scripting (XSS), clickjacking, and other malicious attacks that lead to massive node.js application security vulnerabilities. You can use modules like the helmet that is easily configurable and create your own node js security tutorial.
7. Examine for vulnerable dependencies
The NPM ecosystem of Node makes it common to have many dependencies for a project. You must always check your dependencies and use tools like nsp or snyk, and npm audit, to track, monitor, and patch vulnerabilities. You can catch a dependency before it makes its way to execution by aligning these tools with CI setup.
8. Use Bcrypt instead of Crypto
Save your API passwords or secrets using Bcrypt, which is a secure hash + salt function. Without implementing this function, your passwords or secrets are vulnerable to brute force and dictionary attacks.
As you use the Bcrypt function, you specify the number of rounds, which is the number of times the data works, and so it is more securely and forcefully hashed.
9. Escape Output
Many a time, your browser executes the user-sent input, and this is known as Cross-site scripting (XSS) attack. You can use encoding, escaping, or dedicated libraries that mark data as pure content and do not allow it to execute.
Hence, you must escape output like HTML, JS, and CSS output, or else, the attackers would store malicious code in your DB, which in turn will pass over to needy clients.
10. Validate incoming JSON schemas
The attacker may keep trying to find the various input combinations that crash your application. So, don’t be generous and permissive of such experiments and trials. You should lay validation on incoming requests’ body payload and check if it meets your expectations.
Jsonschema or joi are lightweight JSON-based validation schemas that you can use to keep away from the coding struggle.
11. Backlisting JWTs
Your Node.js application considers JSON Web Tokens (JWT) issued by you as authentic, which makes you accessible to the app data using these tokens. However, in the case of misplaced or stolen tokens, there is no way that you can stop an attacker from accessing your application. For eg., when you use JWT with Passport.js.
Hence, you must validate your untrusted tokens that are expired or misplaced.
12. Prevent Brute-force attacks against the authorization
A hacker can try to breach into your application by trying too many attempts to enter username and password. You can prevent such brute-force attacks by implementing rate limiting authorization by restricting a particular IP to login to your app.
For eg., when you find consecutive failed attempts of authorization of the same username and a unique IP, restrict it further. Or when there are several failed attempts of permission for an extended period, like 100 failed attempts by a particular IP on the same day.
13. Run Node.js as a non-root user
A user process generally has the least access to the system information and resources. However, with the root access, an attacker can attain the maximum power of the local machine and can reroute traffic to other servers.
By default, Node.js runs as a non-root user with unlimited access, which is vulnerable. Thus, you must use a non-root user or bake it into a Docker image.
14. Limit payload size
As your Node.js application receives larger requests, it has difficulty processing other important work, which leads to lower app performance and exposes your app to DOS attacks. For large claims, a bigger body payload is under execution by a single thread.
Attackers can pose a threat even without multiple requests, because of the bigger payload size. You can use express body-parser for limiting the body-size by accepting only small-size payloads.
15. Sidescape the javascript eval statement
A considerable performance concern arises because the eval statement permits to execute a custom JS code while running the app. Now, a user may input a malicious JS code, which leads to a node.js application security issue.
By the use of eval function, or the new Function, setTimeout, and setInterval, susceptible text gains access to the Javascript of the page through the input. Hence, you should use such functions cautiously.
16. Counter malicious RegEx
All javascript apps are vulnerable to regular expressions, and specifically the Node.js application. They cost a large amount of CPU power as the user inputs text to match. Sometimes you may block the entire event loop due to poorly written RegEx. For eg., the moment package destroyed in Nov 2017.
You should use safe-regex to find out which of your regular expressions are posing a threat or use validator.js package.
17. Safe module loading
Keep a check on what your Node.js program is importing or requiring. Many times, the fs.readFile() parameters come from the user input, which can be a malicious act. The impact of such results can access your sensitive resource or breach into other existing file systems.
You should use the linter Eslint-plugin-security to catch such vulnerable user attempts.
18. Run unsafe code in a Sandbox
Make sure that you use a sandbox tool when your application runs an external code because that can attack your system with infinite loops, overloading memory, or accessing sensitive env variables.
You must use dedicated processes like cluster.fork(), or npm packages, or a serverless environment as a sandbox to protect your Node.js application.
19. Be cautious when working with child processes
Try not to use child processes, and when you have to, do validate the inputs. They can pose shell injection attacks by unsanitized system commands.
Instead, you can use child_process.execFile, which executes a single command with multiple attributes, and thus will not expand shell parameters.
20. Hide error details from clients
Good advice says you should use your own error handler that has custom error objects. While doing that, you must not return the entire error object to the user because it might obtain some of your application’s sensitive data.
21. Configure 2FA for NPM or Yarn
Hackers steal the developers’ credentials and instill malicious code in your project libraries, despite your applying multi-factor authentication (MFA). If the attackers plant the code on the public domain, then the entire web may be infected.
Hence, you must use two-factor authentication 2FA with npm/yarn, which leaves no chance of hackers.
22. Cookie & Session security
You should not reveal your tech-stack because attackers know the weakness of all the frameworks and technologies. Mostly cookies are transmitted over insecure connections, and hackers can tweak the session for the private information.
You must protect your app as well as your user’s privacy by keeping a check on Cookie and Session security.
23. Prevent unsafe redirects
As the attackers get to know that you are not validating user input, they can pose attacks like credential stealing, can launch phishing attacks or other malicious events. Thus, you must take care of all the redirects that arise from your application.
If you take this matter lightly, attackers can post specific links of forums, or social-media attractions, so that your users click through it.
24. Avoid publishing secrets
You must see that all your passwords, API keys, and other secrets are safe and not published on the public NPM registries. If not so, attackers can leverage the benefits of your leaks and impede your financial losses, can impersonate you, and other risks too.
You can use .npmignore file as a blacklist, and files array in package.json as a whitelist.
I hope you find these node.js application security practices helpful.
Conclusion
Node.js is the master key solution for start-ups to hastily simplify development and it is a sophisticated ecosystem adopted by the leading enterprises.
Even the safest of all treasures need to be precautious of theft and attacks. And when you are using the most precious web framework for your valuable project, you sure want to shield it from burglary. Get in touch with our Node.js experts to secure your Node.js web application and protect your system from unauthorized breaches. We let you Hire Node.js Developer and consultant from us whether you want to secure your Node.js application or looking for assistance to build data-intensive apps tailored to meet your business needs.