Like any kind of apps, JavaScript apps also have to be written well.
Otherwise, we run into all kinds of issues later on.
In this article, we’ll look at some best practices we should follow when writing Node apps.
Add Helmet to Set Sane Defaults
Some default settings for Express apps aren’t very secure.
Therefore, the Helmet middleware is available to set some saner defaults.
To use it, we write:
const express = require('express');
const helmet = require('helmet');
const app = express();
app.use(helmet());
when we create our Express app.
It does several things to improve the security of our app.
It enables the Content-Security-Policy HTTP header.
This defines the trusted origins of the contents like scripts, images, etc that are allowed to load on our web page.
DNS prefetching is good fir speeding up load times.
However, disabling prefetching will limit potential data leakage about the types of external services that are used.
It can also reduce traffic and costs associated with DNS query lookups.
The X-Frame-Options HTTP header is also enabled.
This blocks clickjacking attempts by disabling options for the webpage rendered on another site.
The X-Powered-By HTTP header is also hidden.
This way, attackers can’t identify what we’re using to create our app.
Public key pinning headers are also enabled.
This prevents man in the middle attacks that use forged certificates.
Strict-Transport-Security header is also enabled.
This forces subsequent connects to the server to use HTTPS once a client is connected with HTTPS initially.
It also enables the Cache-Control, Pragma, Expires, and Surrogate-Control with defaults that block clients from caching old versions of site resources.
The X-Content-Type-Options HTTP header stops clients from sniffing the MIME type of a response outside the content-type that’s declared.
Referred HTTP header in our app’s response header can also be controlled to include certain pieces of information.
The X-XSS-Protection HTTP header that prevents some XSS attacks in browsers.
Tighten Session Cookies
We should tighten sessions cookies that aren’t highly secure.
We can set various settings with the express-session
package.
The secret
property is a secret string for the cookie to be salted with.
key
is the name of the cookie.
httpOnly
flags cookies to be accessible by the issuing web server only.
secure
should be set to true
, which requires SSL/TLS.
This forces cookies to be only used with HTTPS requests.
domain
indicates the domain that the cookie can be accessed from.
path
has the path that the cookie is accepted within the app’s domain.
expires
has the expiration date of the cookie is set.
This defaults to last for a session.
To use these options, we can write:
const express = require('express');
const session = require('express-session');
const app = express();
app.use(session({
secret: 'secret',
key: 'someKey',
cookie: {
httpOnly: true,
secure: true,
domain: 'example.com',
path: '/foo/bar',
expires: new Date( Date.now() + 60 * 60 * 1000 )
}
}));
We can set all these options to create and send our cookie.
Conclusion
The Express Helmet and express-session packages are very useful for securing our Express app.