Like any kind of apps, JavaScript apps also have to be written well.
Otherwise, we run into all kinds of issues later on.
In this article, we’ll look at some best practices we should follow when writing Node apps.
Components With Known Security Vulnerabilities
We should log and audit each API call to cloud management services with AWS CloudTrail.
The security checker provided by our cloud provider should be run.
Logging and Monitoring
Logging and monitoring should be sufficient.
We should look for any suspicious auditing events like user log in, user creation, permission change, etc.
If there’re login failures we should be alerted.
The time and username that initiated the update in each database record should be recorded.
Cross-Site-Scripting
To avoid cross-site scripting, we should use template engines and frameworks that automatically escape scripts by design.
Most of them should have this feature.
Untrusted HTTP requests data should be escaped based on the HTML output.
Applying context-sensitive encoding when modifying browser documents on client-side would prevent cross-site scripting on the DOM.
Also, we should enable a content security policy to defend against cross-site scripting.
Protect Personally Identifiable Information
Personally, identifiable information should be protected.
Any data that can be used to identify a person should be encrypted.
Privacy laws are enacted in different countries so we should follow them.
Have a security.txt File in Production
A text file called security.txt should be in the ./well-known directory or the root direct.
It should give the details of which security researchers can report vulnerabilities and the contact details of the person responsible.
This way, we can be notified of any security vulnerabilities that are found.
Have a SECURITY.md File
In a code project, we can have a security.md file with the contact information of the project owner.
This way, people can report vulnerabilities that are found in the project.
Adjust the HTTP Response Headers for Enhanced Security
We should adjust the HTTP response headers for enhanced security.
Attacks like cross-site scripting, clickjacking, and other malicious attacks take advantage of data exposed with response headers to conduct their attacks.
Constantly and Automatically Inspect for Vulnerable Dependencies
We should use npm audit or snyk to track, monitor, and patch vulnerable dependencies.
These can be integrated into our CI setup to catch vulnerable dependency before it’s in production.
Avoid Using the Node.js crypto Library for Handling Passwords
The Node crypto library isn’t as secure as bcrypt, which lets us salt and hash our passwords.
If we don’t salt and hash, then they may be brute-forced or guessed with dictionary attacks.
Escape HTML, JS and CSS Output
We should escape HTML, JavaScript, and CSS so that cross-site scripting attacks are prevented.
We can use dedicated libraries that mark the data as pure content that shouldn’t be run.
Validate Incoming JSON Schemas
Incoming JSON should be validated with a JSON schema to make sure that data from requests are valid.
If we don’t check them, then malicious and invalid data can get into our systems and cause problems.
Libraries like jsonschema or joi let us do the checks easily.
Conclusion
We should check our data so that they aren’t malicious or invalid.
Anything that can run in our data should be escaped.
