Securing NodeJS Apps: Best Practices

Securing NodeJS Apps: Best Practices

The following are Some of the essential(required) that I believe should be followed to secure NodeJS apps

  • Ensure you use up to date dependencies and third-party packages
  • Ensure your dependencies are secure,
    npm audit
    
    Remember, the security of your app is only as strong as the “weakest link” in your dependencies.
  • Use Helmet to protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately.
  • Use Cookies securely
     - Don't use default session cookie name
     - Set-Cookie security options
    
  • Use TLS(Transport Layer Security) in production
  • Avoid other known vulnerabilities using tools such as synk or Node Security Project
  • Protect your apps against Cross-site request forgery(CSRF), use csurf middleware.
  • Filter/sanitize user input to prevent cross-site scripting.
  • Defend against SQL injection attacks by using parameterized queries or prepared statements. sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
  • Use safe-regex to ensure your regular expressions are not susceptible to regular expression denial of service attacks .

Source

  1. Node.js Security Checklist
  2. Express: Production Best Practices
  3. DA-14 blog: HOW TO BUILD SECURE NODE.JS APPLICATIONS

Did you find this article valuable?

Support Nicanor Talks Web by becoming a sponsor. Any amount is appreciated!