Flash cards
Review the key moves
1/4
Core idea
What is the main idea behind Node.js Security?
Lesson checks
Practice each idea before moving on
Short Mimo-style checks built from this lesson's code, terms, and sequence.
1Quick choice
Which statement best captures the main point of this lesson?
2Fill blank
Complete the missing token from the example code.
___ express = require('express');3Order
Put the learning moves in the order that makes the concept easiest to apply.
Input Validation and Sanitization
Common Security Vulnerabilities in Node.js
Why Security Matters in Node.js
Why Security Matters in Node.js
Security is critically important for Node.js applications for several reasons:
- JavaScript Ecosystem Size: The npm registry contains over 1.5 million packages, making it difficult to verify the security of all dependencies
- Server-Side Execution: Unlike client-side JavaScript, Node.js has access to file systems, networks, and other sensitive resources
- Default Permissiveness: Node.js has few security restrictions by default, making secure coding practices essential
- Event-Driven Architecture: Asynchronous operations can create complex execution flows that may hide security flaws
When Node.js applications are compromised, attackers might:
- Access sensitive user data
- Manipulate application behavior
- Use your server for cryptocurrency mining
- Launch attacks against other systems
- Damage your organization's reputation
Common Security Vulnerabilities in Node.js
| Vulnerability | Description | Impact |
|---|---|---|
| Injection Attacks | Inserting malicious code into inputs processed by the application (SQL, NoSQL, OS commands) | Data theft, unauthorized access, service disruption |
| Cross-Site Scripting (XSS) | Injecting client-side scripts into web pages viewed by other users | Session hijacking, credential theft, defacement |
| Broken Authentication | Flaws in authentication mechanisms that allow credential compromise | Account takeover, privilege escalation |
| Insecure Dependencies | Using third-party packages with known vulnerabilities | Inheriting all vulnerabilities from dependencies |
| Information Exposure | Leaking sensitive data through error messages, logs, or responses | System information disclosure, data leakage |
| Cross-Site Request Forgery | Tricking users into making unwanted actions on a web application they're authenticated to | Performing unauthorized operations on behalf of users |
| Security Misconfiguration | Improper configuration of security settings in Node.js applications | Various security gaps and vulnerabilities |
| Path Traversal | Accessing files and directories outside of intended application paths | Unauthorized file access, code execution |
Input Validation and Sanitization
Never trust user input. Always validate and sanitize all data that comes from outside your application.
const express = require('express');
const { body, validationResult } = require('express-validator');
const app = express();
app.use(express.json());
// Define validation rules
const userValidationRules = [
body('email').isEmail().normalizeEmail(),
body('password').isLength({ min: 8 }),
body('age').isInt({ min: 18 }).toInt(),
body('name').trim().escape().notEmpty()
];
// Apply validation
app.post('/register', userValidationRules, (req, res) => {
// Check for validation errors
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// Process validated data
const { email, password, age, name } = req.body;
// ... safe to use validated data
res.status(201).json({ message: 'User registered successfully' });
});Protection Against Injection Attacks
Prevent SQL, NoSQL, command injection, and similar attacks by using parameterized queries and avoiding direct concatenation of user input.
// VULNERABLE - DO NOT USE
function searchUsersUnsafe(name) {
// Direct string concatenation - VULNERABLE TO INJECTION
return db.query(`SELECT * FROM users WHERE name LIKE '%${name}%'`);
}
// SAFE - USE THIS APPROACH
function searchUsersSafe(name) {
// Parameterized query - PROTECTED AGAINST INJECTION
return db.query('SELECT * FROM users WHERE name LIKE ?', [`%${name}%`]);
}Cross-Site Scripting (XSS) Prevention
Protect against XSS by properly encoding output and using Content Security Policy (CSP).
const express = require('express');
const app = express();
// VULNERABLE - Direct insertion of user input into HTML
app.get('/unsafe', (req, res) => {
const userInput = req.query.message || '';
res.send(`<div>Your message: ${userInput}</div>`);
});
// SAFE - Encoding user input
app.get('/safe', (req, res) => {
const userInput = req.query.message || '';
// Encode HTML special characters
const safeInput = userInput
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''');
res.send(`<div>Your message: ${safeInput}</div>`);
});Keep Dependencies Up-to-Date
Regularly check for and update vulnerable dependencies using npm audit and other security tools.
# Check for vulnerable dependencies
npm audit
# Automatically fix vulnerabilities when possible
npm audit fix
# Check for vulnerable dependencies in production only
npm audit --production
# Generate a detailed report
npm audit --json > audit-report.jsonSecure Authentication Practices
Implement authentication securely with proper password hashing, account lockouts, and multi-factor authentication.
const crypto = require('crypto');
// Generate a random salt
function generateSalt() {
return crypto.randomBytes(16).toString('hex');
}
// Hash password with PBKDF2
function hashPassword(password, salt) {
return crypto.pbkdf2Sync(password, salt, 10000, 64, 'sha512').toString('hex');
}
// Register a new user with secure password storage
function registerUser(username, password) {
// Generate unique salt for this user
const salt = generateSalt();
// Hash the password with the salt
const hashedPassword = hashPassword(password, salt);
// Store username, hashedPassword, and salt in database
// NEVER store plaintext passwords
return { username, hashedPassword, salt };
}
// Verify a login attempt
function verifyUser(username, password, storedHash, storedSalt) {
// Hash the provided password with the stored salt
const hashedAttempt = hashPassword(password, storedSalt);
// Time-constant comparison to prevent timing attacks
return crypto.timingSafeEqual(
Buffer.from(hashedAttempt, 'hex'),
Buffer.from(storedHash, 'hex')
);
}Use Security Headers
Implement HTTP security headers to protect against various attacks. Use packages like Helmet.js to simplify this.
const express = require('express');
const helmet = require('helmet');
const app = express();
// Apply all security headers with default settings
app.use(helmet());
// Or customize specific headers
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", 'trusted-cdn.com']
}
},
// Prevent clickjacking
frameguard: { action: 'deny' },
// Strict-Transport-Security
hsts: { maxAge: 15552000, includeSubDomains: true }
}));Use HTTPS
Always use HTTPS in production environments to encrypt data in transit.
const https = require('https');
const fs = require('fs');
const express = require('express');
const app = express();
// Your Express routes here
app.get('/', (req, res) => {
res.send('Secure HTTPS Server');
});
// HTTPS configuration
const options = {
key: fs.readFileSync('path/to/private-key.pem'),
// Modern, secure TLS options
minVersion: 'TLSv1.2',
ciphers: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256'
};
// Create HTTPS server
https.createServer(options, app).listen(443, () => {
console.log('HTTPS server running on port 443');
});Protect Sensitive Data
Store sensitive data securely using environment variables and dedicated secret management solutions.
// Load environment variables from .env file in development
if (process.env.NODE_ENV !== 'production') {
require('dotenv').config();
}
// Access environment variables
const dbConnection = {
host: process.env.DB_HOST,
username: process.env.DB_USER,
password: process.env.DB_PASSWORD,
database: process.env.DB_NAME
};
// Never log sensitive information
console.log('Connected to database:', dbConnection.host);
// DON'T DO THIS: console.log('Database connection:', dbConnection);Important: Never commit sensitive data to version control. Use .gitignore to exclude .env files.
Dependency Vulnerability Management
Node.js applications typically have numerous dependencies, each potentially introducing security vulnerabilities.
Proper dependency management is essential for maintaining application security.
Using npm audit
The npm audit command scans your dependency tree and identifies packages with known vulnerabilities:
# Run a basic audit
npm audit
# Fix vulnerabilities automatically (when possible)
npm audit fix
# Fix vulnerabilities that might require major version updates
npm audit fix --forceThe output of npm audit includes
- Vulnerability severity (low, moderate, high, critical)
- Affected package and vulnerable version range
- Description of the vulnerability
- Path to the vulnerable dependency
- Recommended actions to fix the issue
Vulnerability Prevention Strategies
- Lock Dependencies: Use package-lock.json or yarn.lock to lock dependency versions
- Set Minimum Versions: Use version ranges with minimum bounds (e.g., "express": "^4.17.1" )
- Automated Scanning: Integrate security scanning into your CI/CD pipeline
- Consider Alternatives: For problematic packages, research alternatives with better security records
Third-Party Security Tools
| Tool | Purpose |
|---|---|
| Snyk | Scans dependencies, provides automated fix PRs, and monitors applications continuously |
| SonarQube | Detects vulnerabilities, code smells, and maintainability issues in your code |
| OWASP Dependency-Check | Identifies project dependencies with known vulnerabilities |
| WhiteSource Bolt | Continuous security and compliance for open source components |
Rate Limiting
Protect your API from abuse or brute force attacks by implementing rate limiting:
const express = require('express');
const rateLimit = require('express-rate-limit');
const app = express();
// Basic rate limiter: max 100 requests per 15 minutes per IP
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests per windowMs
standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
message: 'Too many requests from this IP, please try again after 15 minutes'
});
// Apply rate limiting to all requests
app.use(limiter);
// Or apply to specific routes
const loginLimiter = rateLimit({
windowMs: 60 * 60 * 1000, // 1 hour
max: 5, // 5 failed attempts per hour
message: 'Too many login attempts, please try again after an hour'
});
app.post('/login', loginLimiter, (req, res) => {
// Login logic here
});CSRF Protection
Prevent Cross-Site Request Forgery attacks by implementing CSRF tokens:
const express = require('express');
const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const app = express();
// Setup middleware
app.use(express.urlencoded({ extended: false }));
app.use(cookieParser());
// Initialize CSRF protection
const csrfProtection = csrf({ cookie: true });
// Form display route with CSRF token
app.get('/form', csrfProtection, (req, res) => {
res.send(`
<form action="/process" method="POST">
<input type="hidden" name="_csrf" value="${req.csrfToken()}">
<input type="text" name="data">
<button type="submit">Submit</button>
</form>
`);
});
// Form submission route with CSRF validation
app.post('/process', csrfProtection, (req, res) => {
// If we get here, CSRF token was valid
res.send('Data processed successfully');
});
// CSRF errors will be caught here
app.use((err, req, res, next) => {
if (err.code === 'EBADCSRFTOKEN') {
// Handle CSRF token errors
res.status(403).send('CSRF token validation failed');
} else {
next(err);
}
});Content Security Policy (CSP)
CSP helps prevent XSS and data injection attacks by controlling which resources can be loaded by the browser:
const express = require('express');
const helmet = require('helmet');
const app = express();
// Detailed CSP configuration
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"], // Only allow resources from same origin
scriptSrc: ["'self'", "'unsafe-inline'", 'trusted-cdn.com'],
styleSrc: ["'self'", "'unsafe-inline'", 'trusted-cdn.com'],
imgSrc: ["'self'", 'data:', 'trusted-cdn.com', 'another-trusted-cdn.com'],
connectSrc: ["'self'", 'api.example.com'], // API endpoints
fontSrc: ["'self'", 'fonts.googleapis.com', 'fonts.gstatic.com'],
objectSrc: ["'none'"], // Prevent object, embed, and applet elements
mediaSrc: ["'self'"], // Audio and video sources
frameSrc: ["'self'"], // Frames
sandbox: ['allow-forms', 'allow-scripts', 'allow-same-origin'],
reportUri: '/csp-violation-report'
}
}));
// Route to handle CSP violation reports
app.post('/csp-violation-report', (req, res) => {
// Log CSP violations
console.log('CSP Violation:', req.body);
res.status(204).end();
});Security Logging and Monitoring
Implement comprehensive logging to detect and respond to security incidents:
const winston = require('winston');
const express = require('express');
const app = express();
// Create a security logger
const securityLogger = winston.createLogger({
level: 'info',
format: winston.format.combine(
winston.format.timestamp(),
winston.format.json()
),
defaultMeta: { service: 'security-service' },
transports: [
new winston.transports.File({ filename: 'security-events.log' })
]
});
// Log authentication attempts
app.post('/login', (req, res) => {
const { username } = req.body;
const ip = req.ip;
// Authentication logic here...
const success = true; // Replace with actual auth logic
// Log the authentication attempt
securityLogger.info({
event: 'authentication_attempt',
username,
ip,
success,
userAgent: req.get('User-Agent')
});
// Continue with login response...
});
// Log access to sensitive resources
app.get('/admin', (req, res) => {
securityLogger.info({
event: 'admin_access',
user: req.user?.id,
ip: req.ip,
method: req.method,
path: req.path
});
// Continue with admin page response...
});Secure Development Lifecycle (SDLC)
Building secure Node.js applications requires integrating security throughout the entire development process.
Requirements & Design Phase
- Define security requirements and compliance needs
- Perform threat modeling to identify potential risks
- Design with security principles in mind (least privilege, defense in depth)
- Choose secure frameworks and libraries
Development Phase
- Use secure coding standards and linters
- Implement input validation and output encoding
- Use parameterized queries for database access
- Follow the principle of least privilege
Testing Phase
- Conduct static application security testing (SAST)
- Perform dynamic application security testing (DAST)
- Run dependency vulnerability scans
- Conduct penetration testing
Deployment & Maintenance
- Use secure configuration management
- Implement continuous security monitoring
- Establish an incident response plan
- Schedule regular security audits
Example: Secure Development Checklist
// package.json example with security-related scripts
{
"name": "secure-node-app",
"version": "1.0.0",
"scripts": {
"start": "node app.js",
"test": "jest",
"lint": "eslint . --ext .js",
"audit": "npm audit --production --audit-level=high",
"check-vuln": "npx snyk test",
"security-check": "npm-run-all --parallel lint audit check-vuln",
"precommit": "npm run security-check"
},
"dependencies": {
// Production dependencies
},
"devDependencies": {
"eslint": "^8.0.0",
"eslint-plugin-security": "^1.5.0",
"jest": "^29.0.0",
"npm-run-all": "^4.1.5",
"snyk": "^1.1000.0"
},
"husky": {
"hooks": {
"pre-commit": "npm run security-check"
}
}
}Tip
Integrate security checks into your CI/CD pipeline to automatically catch security issues before they reach production.