0

I am new to this kind of work and I need steps and information about the techniques or steps to secure an application from being hack.

Currently, I am building an app using Nodejs and my database is MongoDB.

I feel that my app is not secure enough to be deploy in the production.

Thanks.

Richard Vergis
  • 1,037
  • 10
  • 20
  • Check this out 23+ Node.js security best practices. https://medium.com/@nodepractices/were-under-attack-23-node-js-security-best-practices-e33c146cb87d – Richard Vergis Sep 03 '18 at 05:46

2 Answers2

7

You can use

1.To check the various npm modules for known vulnerabilities, the Node Security Project provides the nsp tool to check for vulnerabilities:

$ nsp check

2.Synk checks the application against Snyk’s open source vulnerability database for any known vulnerabilities in our dependencies.

$ npm install -g snyk
$ cd your-app
$ snyk test

3.To prevent our site from overwhelming with a large number of requests, we need to put some kind of rate limiting to our API.

const RateLimit = require('express-rate-limit');

const limiter = new RateLimit({
  windowMs: 15*60*1000, // 15 minutes 
  max: 100, // limit each IP to 100 requests per windowMs 
  delayMs: 0 // disable delaying — full speed until the max limit is  reached
});

// apply to all requests app.use(limiter); 4. to validate and sanitize user data is to use a library like validator.js.

5.authentication can be done by jwt,bcrypt,crypto

6.implementing helmet to secure your apps with necessary HTTP headers. By default, the helmet helps you to apply the headers. Example:-

app.use(helmet.hsts({ maxAge: 6666666777, includeSubdomains: true }));

Helmet can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately.

Helmet is actually just a collection of nine smaller middleware functions that set security-related HTTP headers:

  • csp sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.

    hidePoweredBy removes the X-Powered-By header. hpkp Adds Public Key Pinning headers to prevent man-in-the-middle attacks with forged certificates.

    hsts sets Strict-Transport-Security header that enforces secure (HTTP over SSL/TLS) connections to the server.

    ieNoOpen sets X-Download-Options for IE8+.

    noCache sets Cache-Control and Pragma headers to disable client-side caching.

    noSniff sets X-Content-Type-Options to prevent browsers from MIME-sniffing a response away from the declared content-type.

    frameguard sets the X-Frame-Options header to provide clickjacking protection.

    xssFilter sets X-XSS-Protection to enable the Cross-site scripting (XSS) filter in most recent web browsers.

app.use(helmet.xframe('allow-from', 'http://example.com'));

  1. Use the open-source sqlmap tool to detect SQL injection vulnerabilities in your app http://sqlmap.org/

8.Need to use set cookie security options appropriately

var session = require('cookie-session')
var express = require('express')
var app = express()

var expiryDate = new Date(Date.now() + 60 * 60 * 1000) // 1 hour
app.use(session({
  name: 'session',
  keys: ['key1', 'key2'],
  cookie: {
    secure: true,
    httpOnly: true,
    domain: 'example.com',
    path: 'foo/bar',
    expires: expiryDate
  }
}))

please refer

https://expressjs.com/en/advanced/best-practice-security.html

https://geekflare.com/nodejs-security-scanner/

https://nodesource.com/blog/the-state-of-node-js-security-in-2017

Biswadev
  • 1,456
  • 11
  • 24
2

You could refer this article. You could add helmet package that is much more simple. https://blog.risingstack.com/node-js-security-checklist/.

Rukeith
  • 665
  • 1
  • 8
  • 22