I am working on a real-time analytics application and am using websockets (through the socket.io library) along with nodejs. There will be no "sensitive" data being sent through the websockets (like names, addresses, etc). It will be only used to track visits and to track the total visitors (along with the number of visitors on the top 10 most visited URLs).
Are there any security issues that I should be aware of? Am I opening myself up to:
Thanks!
1. DoS attacks?
You are opening yourself up against DoS attacks and if they are done properly there is almost nothing you can do against this kind of attacks.
2. XSS attacks?
If you don't filter you are vulnerable to XSS attacks. I believe you could protect yourself against this using something looking like this:
/**
* Escape the given string of `html`.
*
* @param {String} html
* @return {String}
* @api private
*/
function escape(html){
return String(html)
.replace(/&(?!\w+;)/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"');
}
3. Additional security holes that could be used to gain access to the webserver/webserver's LAN?
You should protect yourself against LAN attacks using a firewall?
4. Anything else I didn't mention here?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With