Table of Contents
Node.js is a popular programming framework to lace the back-end of web applications. It offers scalability and handles concurrent requests. It combines a runtime environment, JavaScript library, and encourages design decisions that scale well. It is easy to learn and use compared to Erlang, Scala. It has a vibrant open-source community, and a plethora of great libraries are available. Development of simple to complex Node.js applications requires finding and installing open-source dependencies, building out the roughed-out directory structure by adding models, tests, assets, etc., and writing code to stitch it together.
See also:
Before you move ahead with it, try considering essentials about Node.js:
Get your favourite text editor, get the newest version of Node.js installed (https://nodejs.org/en/) and get ready to follow along. Node.js works wonders at the application back end. Let’s start with features and top it up with security best practices.
Node.js is being used in I/O bound applications, Data Streaming Applications, JSON API’s based applications, Single page applications. It is primarily used for non-blocking, event-driven servers due to its single-threaded nature. It is used in traditional websites and back-end API services but is designed with real-time, push-based architectures.
Make use of parameters to prevent injection attacks: Node.js applications are vulnerable to SQL/NoSQL injection attacks. Hackers intrude on the system by sending queries as user inputs forcing the system to involuntarily release sensitive information. Developers should never pass the parameters from the frontend to the database query without verification. Some Node.js libraries perform automatically. Cross-site scripting/XSS attacks pose a similar threat and the only way to secure a Node.js Application from such attacks is by validating user input.
Use Multi-Factor Authentication to Prevent Automated Attacks: Broken authentication breaks any system. It can be a weak password, weak session or management policies. Leveraging authentication service providers, two-factor authentication (2FA) can be implemented via npm package and generating one-time tokens in a Node.js application.
Discard Sensitive Data after Use: Sensitive data is always at the risk of exposure. Attackers are always on the lookout to steal secrets, hijack sessions, steal users’ data, and perform man-in-the-middle attacks. Ensure that your passwords are strong, and encrypted with strong hashing functions. Also, enforce HTTP strict transport security (HSTS) on TLS to prevent packet sniffing and man-in-the-middle attacks.
Patch Old XML Processors: XML external entities attack enables XML processors to trick into allowing data from external or local resources. Older XML processors allow specifications of an external entity that is evaluated during XML processing.
Enforce Access Control on Every Request: Loosely coupled control policies, insufficient functional testing, weak access control rules, intrusion of middlewares – altogether eliminates the possibility of manipulating access permissions from the client-side by cookies or JWT (JSON Web Token) authorization tokens. You need to limit the API rate and set up log access controls.
Create Fluid Build Pipelines for Security Patches: Security misconfiguration vulnerabilities via soft build pipelines leave node.js app vulnerable as development, staging is configurations to have loose security patches. Ensure keeping all environments identical with different credentials and distinct access levels. On the other hand, default package settings leave vulnerability breadcrumbs for malicious attackers’ tails.
Sanitize All Incoming Inputs: In Cross-Site Scripting (XSS) attacks, hackers execute malicious JavaScript Code on client-side applications. It can be client XSS and server XSS. It is when an untrusted input from a client is accepted by the backend for without proper validation processing/storage. Such data may contain executable malicious JavaScript code.
Scan Application for Vulnerabilities Regularly: Open source node.js packages are prone to open-source vulnerabilities. Developers can track them through Package manager-provided solutions and WhiteSource bolt.
Secure Deserialization: Insecure deserialization is a flaw that involves the execution of malicious objects via API calls or remote code execution. It occurs via an object/data structure attack where an attacker modifies an application by executing remote code on the application. Another is when legitimate data objects like cookies are tempered by the hacker for malicious intent.
Cross-Site Request Forgery (CSRF): To mitigate such attacks, generate a CSRF token from the server and add it to a hidden field form field.
Sufficient Logging and Monitoring: Attackers often intrude systems with all the tools in stock before the point of entry. If developers configure applications and services to a centralized logging system, it will provide an audit trail for ongoing attacks or attempted data breaches. It is encouraged to float regular pen test exercises to resist system logging and monitoring policies, as well as help teams, establish response and recovery plans in the event of a breach.
Eradicating Brute Force Attacks: It is when a hacker continuously generates a random password to unlock an application. Consider using the bcrypt.js package as part of Node.js security, to guard the password stored in the database.
Security Against Denial-of-Service Attacks: Exploiting bugs in HTTP handling results in the prematurely terminated process. Consider implementing a high limiting factor via a limiting function that limits the number of requests made by the user. Limiting the body payload ensures limiting the number of data sent in the body payload. It is to be seen that the load is never higher.
Additionally,
Make use of security-related linter plugins to catch security vulnerabilities.
Limit concurrent requests by making use of middleware.
Implement rate limiting using an external service like cloud load balancers, cloud firewalls, nginx, rate-limiter-flexible package or a rate-limiting middleware to limit concurrent requests using a middleware.
Use packages to encrypt configuration files: Try not to publicize source controls even for private repositories.
Prevent Query Injection Vulnerabilities With ORM/ODM Libraries: Never make use of JavaScript template strings or string concatenation to inject values into queries as it opens up a wide spectrum of vulnerabilities. All Node.js data access libraries have built-in protection against injection attacks.
Avoid DOS attacks: Node process crashes if errors are not handled. Alert with critical severity anytime a process crashes due to an unhandled error. Validate every user input and avoid crashing the process due to invalid user input, wrap all routes with a catch and consider not to crash when an error is initiated within a request.
Adjust the HTTP response headers for enhanced security: Make use of secure headers in the application form using common attacks like cross-site scripting (XSS), clickjacking, and other malicious attacks.
Constantly and automatically inspect for vulnerable dependencies: node.js developers use npm, audit, nsp, snyk to monitor, track, patch vulnerable dependencies. Integrate these tools with your CI setup and catch your vulnerable dependency before it is released.
Escape HTML, JS and CSS output: Prevent cross-site-scripting (XSS) by using dedicated libraries that explicitly mark the data as pure content that is never executed.
Validate incoming JSON schemas: Ensure that incoming payload qualifies expectations. Use JSON-based validation schemas to avoid tedious validation coding within each route.
Support blacklisting JWT tokens: As there is no mechanism to revoke access from issued tokens while using JWT tokens, implement a blacklist of untrusted tokens that are validated on request.
Run Node.js as a non-root user: Create a non-root user and bake it into the Docker image or run the process on this users’ behalf by invoking the container with the flag “u username”.
Avoid JavaScript eval statements: eval allows executing a custom JavaScript code during run time. Along with performance, it also takes care of security concerns due to malicious JavaScript code that may be sourced from user input. Also never pass new function constructor, settimeout and setinterval along with JavaScript code.
Prevent evil RegEx from overloading your single thread execution: Prefer a third-party validation package like validator.js instead of writing your Regex patterns, or make use of safe-regex to detect vulnerable regex patterns.
Avoid module loading using a variable: Avoid importing a file with a path that was given as a parameter due to the concern that it could have originated from user input. Use Eslint-plugin-security linter to catch such patterns and get notified early on.
Run unsafe code in a sandbox: Make use of a sandbox execution environment to isolate and guard the main code against plugins. This is achievable by using a dedicated process (cluster.fork()) serverless environment or dedicated npm packages that act as a sandbox.
Take extra care when working with child processes: Mitigate shell injection by using child_process.execFile, which only executes a single command with a set of attributes and does not allow shell parameter expansion.
Hide error details from clients: Hide error details from the client to secure sensitive application details – (1)server file paths, (2)third-party modules in use, (3)internal workflows of the application which could be exploited by an attacker.
Modify session middleware settings: Make use of default settings for session middlewares preventing the app from exposure from the module and framework-specific hijacking attacks. Try hiding anything that identifies and reveals your technology stack.
Avoid publishing secrets to the npm registry: Prevent the risk of accidentally publishing secrets to public npm registries by taking necessary precautions. Use .npmignore file to ‘blacklist’ specific files or folders, or the files array in package.json as a white-list;
As much as the security, it is pertinent to stick to a stringent delivery deadline, which sometimes prevents Node.js developers from implementing correct security measures in Node.js applications. We configure and cross-check security at every step of the software development lifecycle, from conception to production. We hope you now have clarity on node.js security issues and node.js security best practices. Reach out to us for more!
Neeti Kotia is a technology journalist who seeks to analyze the advancements and developments in technology that affect our everyday lives. Her articles primarily focus upon the business, social, cultural, and entertainment side of the technology sector.
Or send us an email at: [email protected]
