Menu
I'm looking for modules that should be added to a Node/Express app that address the general security concerns listed below:
Thanks for your help!
Some resources I've found:
Excellent talk (11/2012): http://lanyrd.com/2012/asfws/sxzbm/ (see slides)
ServerFault question (2011-2012): https://serverfault.com/questions/285123/is-node-js-mature-for-enterprise-security
Blog post on topic (9/2012): http://codefol.io/posts/29-Why-Rails-and-not-Sinatra-or-Node-js-
Exploit tester: https://code.google.com/p/skipfish/
Passport Module: https://github.com/jaredhanson/passport
EveryAuth Module: https://github.com/bnoguchi/everyauth
352
js project is safe and invincible to malicious attacks. There are 7 simple and not very simple measures to take for the purpose of data security: Use reliable versions of Express. js.
Node. js is one such technology that developers use for web application development. It is designed to be completely secure.
Express is currently, and for many years, the de-facto library in the Node. js ecosystem. When you are looking for any tutorial to learn Node, Express is presented and taught to people.
The security issues related to Node.js can expose you to vulnerabilities like the man in the middle, code injection, and advanced constant threats. Here is a list of Node.js security risks that may cause these vulnerabilities and their possible solution practices: 1. Restrict XSS Attacks by Validating User Inputs
The dependency send has been updated to provide a protection against a Node.js 8.5.0 vulnerability. This only impacts running Express on the specific Node.js version 8.5.0. The dependency debug has been updated to address a vulnerability, but this issue does not impact Express.
This only impacts running Express on the specific Node.js version 8.5.0. The dependency debug has been updated to address a vulnerability, but this issue does not impact Express. The dependency fresh has been updated to address a vulnerability.
Therefore keep a watch on Node.js vulnerabilities and make sure you are using the latest stable version of Node.js. The list below enumerates the Express vulnerabilities that were fixed in the specified version update. NOTE: If you believe you have discovered a security vulnerability in Express, please see Security Policies and Procedures.
I wrote a blog post that gives a great starting point on Writing Secure Express.js Apps. It covers a few other things beyond csrf and helmet as was mentioned by zeMirco.
The other thing is you can't compare express.js to rails. They are apples and oranges. For example, there is no ORM that is bundled with Express, that implementation or use of a third party module is up to you.
I'll try and give a breakdown of each of your concerns.
-Injection Vulnerabilities (JavaScript, SQL, Mongo, HTML) Again, these are things not built into express. The closest thing would be XSS worries over injection in templates. Jade or EJS templates that are commonly used with express output encode < > " ' and & by default, but remember there are other contexts like user input into JavaScript or CSS that you would need to worry about.
-Session fixation and hijacking Again see the blog post above, but Express is based on and uses most of the connect middleware one of these is the session middleware. Biggest thing here is to properly set your cookie flags.
-Cross-Site Vulnerabilities (Scripting, Request Forgery) See above. It also comes with express.csrf() middleware. The blog post mentioned shows how to implement it.
-Mass Assignment Not an issue with express.js as it has no concepts in which this type of vulnerable would be applicable, however the custom logic you write may be in fact vulnerable to this problem, so again it's a problem of verifying if your code is vulnerable or if the third party module you used is...
89
Two modules I can immediately think of:
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
