Otherwise, we run into all kinds of issues later on.
In this article, we’ll look at some best practices we should follow when writing Node apps.
Without HTTPS, communication is done by sending clear text.
This means that anyone can tap into the communication channel to get the data.
Therefore, we should communicate via HTTPS.
We can use strong ciphers to encrypt our communication so that we don’t have to worry about insecure communication.
Also, we’ve to test for ciphers, keys and renogotiation is properly configured.
And certificates have to be valid.
We can use tools like nmap and sslyze to check these things.
For instance, we can run:
nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.example.com
to check the certificate from example.com
With sslyze, we can run:
./sslyze.py --regular example.com:443
to do the check
We should add the Strict-Transport-Security header to enforce HTTPS connections to the server.
would be returned from the web app if this exists.
We can check:
curl -s -D- https://example.com/ | grep -i Strict
to check for if there’s any header that starts with
Strict to check the response for the header.
Denial of Service
To prevent denial of service attacks, we should take some steps to prevent them.
If the user tries to log in too many times and failed, we should lock them out for a period of time.
This mitigates brute force guessing attacks.
A small number of login attempts prohibits more login attempts for a period of time.
It can be a couple of minutes, then increased for subsequent failures.
There’re also regexes that can hang apps.
Patterns like grouping with repetition with patterns that have more repetition inside or alternation with overlapping are regex that’ll crash our Node app.
For example, patterns like
(a+)+ are vulnerable regexes that cause heavy computations.
To check for these regexes, we can use the safe-regex package.
We should be careful with error handling in that we don’t leak sensitive information about our app.
They can reveal information that are useful to the attacker.
Therefore, we should log them rather than show them to the user.
We should check the packages that we’re requiring in our Node app.
To check for vulnerable packages, we can use the
npm i nsp -g
to install the package.
Then we audit the shrinkwrap with:
Or we can check
Serverless starts with the introduction of AWS Lambda.
It’ll become a popular way to build apps.
We can create code that runs straight from the server.
The Structure of a Node.js Application
We create a Node app first with
npm init .
This will create
package.json which has the metadata for our Node project.
They include the name, version, description, scripts, and more.
It also has the package information.
We can analyze the security of our app with a few tools.
And we can structure our app by creating a
npm init .