Categories
Node.js Best Practices

Node.js Best Practices — HTTPS

Spread the love

Like any kind of apps, JavaScript apps also have to be written well.

Otherwise, we run into all kinds of issues later on.

In this article, we’ll look at some best practices we should follow when writing Node apps.

Secure Transmission

Without HTTPS, communication is done by sending clear text.

This means that anyone can tap into the communication channel to get the data.

Therefore, we should communicate via HTTPS.

We can use strong ciphers to encrypt our communication so that we don’t have to worry about insecure communication.

Also, we’ve to test for ciphers, keys and renogotiation is properly configured.

And certificates have to be valid.

We can use tools like nmap and sslyze to check these things.

For instance, we can run:

nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.example.com

to check the certificate from example.com

With sslyze, we can run:

./sslyze.py --regular example.com:443

to do the check

HSTS

We should add the Strict-Transport-Security header to enforce HTTPS connections to the server.

Headers like:

strict-transport-security:max-age=631138519

would be returned from the web app if this exists.

We can check:

curl -s -D- https://example.com/ | grep -i Strict

to check for if there’s any header that starts with Strict to check the response for the header.

Denial of Service

To prevent denial of service attacks, we should take some steps to prevent them.

If the user tries to log in too many times and failed, we should lock them out for a period of time.

This mitigates brute force guessing attacks.

A small number of login attempts prohibits more login attempts for a period of time.

It can be a couple of minutes, then increased for subsequent failures.

There’re also regexes that can hang apps.

Patterns like grouping with repetition with patterns that have more repetition inside or alternation with overlapping are regex that’ll crash our Node app.

For example, patterns like (a+)+ are vulnerable regexes that cause heavy computations.

To check for these regexes, we can use the safe-regex package.

Error Handling

We should be careful with error handling in that we don’t leak sensitive information about our app.

They can reveal information that are useful to the attacker.

Therefore, we should log them rather than show them to the user.

NPM

We should check the packages that we’re requiring in our Node app.

To check for vulnerable packages, we can use the nsp package.

We run:

npm i nsp -g

to install the package.

Then we audit the shrinkwrap with:

nsp audit-shrinkwrap

Or we can check package.json :

nsp audit-package

Serverless

Serverless starts with the introduction of AWS Lambda.

It’ll become a popular way to build apps.

We can create code that runs straight from the server.

The Structure of a Node.js Application

We create a Node app first with npm init .

This will create package.json which has the metadata for our Node project.

They include the name, version, description, scripts, and more.

It also has the package information.

Conclusion

We can analyze the security of our app with a few tools.

And we can structure our app by creating a package.json with npm init .

By John Au-Yeung

Web developer specializing in React, Vue, and front end development.

Leave a Reply

Your email address will not be published. Required fields are marked *