Like any kind of apps, JavaScript apps also have to be written well.
Otherwise, we run into all kinds of issues later on.
In this article, we’ll look at some best practices we should follow when writing Node apps.
Secure Transmission
Without HTTPS, communication is done by sending clear text.
This means that anyone can tap into the communication channel to get the data.
Therefore, we should communicate via HTTPS.
We can use strong ciphers to encrypt our communication so that we don’t have to worry about insecure communication.
Also, we’ve to test for ciphers, keys and renogotiation is properly configured.
And certificates have to be valid.
We can use tools like nmap and sslyze to check these things.
For instance, we can run:
nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.example.com
to check the certificate from example.com
With sslyze, we can run:
./sslyze.py --regular example.com:443
to do the check
HSTS
We should add the Strict-Transport-Security header to enforce HTTPS connections to the server.
Headers like:
strict-transport-security:max-age=631138519
would be returned from the web app if this exists.
We can check:
curl -s -D- https://example.com/ | grep -i Strict
to check for if there’s any header that starts with Strict
to check the response for the header.
Denial of Service
To prevent denial of service attacks, we should take some steps to prevent them.
If the user tries to log in too many times and failed, we should lock them out for a period of time.
This mitigates brute force guessing attacks.
A small number of login attempts prohibits more login attempts for a period of time.
It can be a couple of minutes, then increased for subsequent failures.
There’re also regexes that can hang apps.
Patterns like grouping with repetition with patterns that have more repetition inside or alternation with overlapping are regex that’ll crash our Node app.
For example, patterns like (a+)+
are vulnerable regexes that cause heavy computations.
To check for these regexes, we can use the safe-regex package.
Error Handling
We should be careful with error handling in that we don’t leak sensitive information about our app.
They can reveal information that are useful to the attacker.
Therefore, we should log them rather than show them to the user.
NPM
We should check the packages that we’re requiring in our Node app.
To check for vulnerable packages, we can use the nsp
package.
We run:
npm i nsp -g
to install the package.
Then we audit the shrinkwrap with:
nsp audit-shrinkwrap
Or we can check package.json
:
nsp audit-package
Serverless
Serverless starts with the introduction of AWS Lambda.
It’ll become a popular way to build apps.
We can create code that runs straight from the server.
The Structure of a Node.js Application
We create a Node app first with npm init
.
This will create package.json
which has the metadata for our Node project.
They include the name, version, description, scripts, and more.
It also has the package information.
Conclusion
We can analyze the security of our app with a few tools.
And we can structure our app by creating a package.json
with npm init
.