The following are Some of the essential(required) that I believe should be followed to secure NodeJS apps
- Ensure you use up to date dependencies and third-party packages
- Ensure your dependencies are secure,
Remember, the security of your app is only as strong as the “weakest link” in your dependencies.npm audit
- Use Helmet to protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately.
- Use Cookies securely
- Don't use default session cookie name - Set-Cookie security options
- Use TLS(Transport Layer Security) in production
- Avoid other known vulnerabilities using tools such as synk or Node Security Project
- Protect your apps against Cross-site request forgery(CSRF), use csurf middleware.
- Filter/sanitize user input to prevent cross-site scripting.
- Defend against SQL injection attacks by using parameterized queries or prepared statements. sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
- Use safe-regex to ensure your regular expressions are not susceptible to regular expression denial of service attacks .