Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securing NodeJS RESTful API and React client app

Tags:

rest

security

node.js

I've a backend RESTful API built in NodeJS and a front end application in React JS(NextJS), both hosted on AWS. The client and server communicates using JWT token. I want to make sure both the client app and server side app are highly secured.

What i've done:

  • I'm using HTTPS for both client and server
  • Whitelist the client react app IP address so only the client react app can talk to the server app. This was done in AWS security group
  • Use cors in my server Node.JS application, to whitelist the client IP address again as an addition to No. 1
  • Use AWS WAF to secure the backend NodeJS application,
  • Use helmet in the NodeJS server backend API
  • Make sure the JWT token only last seven days, it'll be invalid and the user needs to login again to get a new token.

Answers i've looked at and used:

  1. How to secure client app (react) and API communication

  2. According to: RESTful Authentication i'm using Token in HTTP headers (e.g. OAuth 2.0 + JWT), this i sent for every client request

  3. Using a refresh token: Refresh Token Jsonwebtoken

    What i'm concerned about, and i need some help with:

    1. Since the JWT token is how the server validates the client, is the JWT communication secured? Are there other steps i can take to improve the JWT security?

    2. Is this application architecture secured enough?

    3. Is there anything else i can do improve it's security, as i'm really concerned and want to make sure it's very secured.

    4. Should i encrypt the JSON payload sent from the client to the server? because that's visible in any browser network tab under XHR, i'm sending username & password as payload for login.

I'm mostly concerned about security because i've integrated stripe payment in the application, and i'm also storing some sensitive data.

Any recommendation would be high appreciated, this is my first time deploying an production app.

like image 410
james Avatar asked Sep 17 '25 20:09

james

1 Answers

As of what you have done the application must be pretty much secure.... except i would like to add a few things....

  1. Make sure that the tokens have expiry and use refresh token to issue new tokens. The jwt stored at clients could be vulnerable for man in the middle attack. (For more performance use redis to store refresh tokens... look more on this)
  2. If you are using https, the request will be only visible to the client's browser and not to any sniffers in the network (check on this whether ure able to see encrypted payload in sniffing tools like wireshark etc... to validate the https uve used). So its not necessary to go for any more encryption. That would decrease the performance of the api server.
like image 190
Venkatesh A Avatar answered Sep 19 '25 11:09

Venkatesh A
Sign in to Comment

Related questions

Typescript generated JavaScript has a function that is not a function
difference between request.ip and request.headers['x-forwarded-for']
how to check if I already set uncaughtException event
How do I log who deleted a message in discord.js?
typescript export object error declaration or statement expected
how to update warn deprecated
Change font for the title of Navigation Header bar in react-native

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!