1

Im working on my first node application. Now it is ready to deploy and I want secure my application. So I used these libraries to secure it.

import mongoSanitize from 'express-mongo-sanitize';
import helmet from 'helmet';
import xss from 'xss-clean';
import hpp from 'hpp';
import cors from 'cors';
import rateLimit from 'express-rate-limit';

What I want to know is, Am I duplicating things here? Do I have to use all these libraries? Do the libraries here do the same thing so that I can remove them to improve the performance of the app by removing unnecessary middlewares from the app?

Shashika Virajh
  • 8,497
  • 17
  • 59
  • 103
  • 6
    So, you should be using these libraries because you understand what they are doing for you. Therefore, you should have a much more specific question related to two specific libraries overlapping. As it is it seems like perhaps you just grabbed a bunch of libraries related to security and don't really understand what they do. Please ask a more specific question that shows you understand what area each of these libraries covers. – jfriend00 Dec 09 '19 at 05:25
  • FYI, the `cors` library does not "enhance" security. It has a specific purpose to ***allow*** cross origin requests when they would otherwise be denied. – jfriend00 Dec 09 '19 at 05:26
  • You can try using JWT(JSON web tokens),is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. – Prabhjot Singh Kainth Dec 09 '19 at 05:36

1 Answers1

11

You can't just pile on some "security" library and magically become "secure". Don't you think that if this were possible, all of these packages would be applied automatically, already?

Let's look at what these modules actually do...

express-mongo-sanitize

This module searches for any keys in objects that begin with a $ sign or contain a ., from req.body, req.query or req.params. It can then either:

  • completely remove these keys and associated data from the object, or
  • replace the prohibited characters with another allowed character.

This is (arguably) a really bad idea. If you were escaping things correctly for use in your queries in the first place, such a sanitizing function wouldn't need to exist. And then, you wouldn't have to worry about a module like this totally wrecking your data structure. Furthermore, if you did rely on this sort of library, you can be sure that there will be some way around it, as it isn't solving the fundamental problem... that mixing the contexts of data and commands is dangerous and error-prone.

helmet

Helmet is a collection of 14 smaller middleware functions that set HTTP response headers.

This package has a whole bunch of stuff, from HSTS to disabling caching. None of them are some sort of security silver bullet, as the author of this package cautions at the very top of the readme file:

It's not a silver bullet, but it can help!

You should understand what all these headers actually do so you can use the right ones. Additionally, much of this you'll want to apply at your web server (such as Nginx) rather than dealing with it in your application.

xss-clean

This will sanitize any data in req.body, req.query, and req.params. You can also access the API directly if you don't want to use as middleware.

Nothing says "security" like an NPM package with near-zero documentation that hasn't been touched in 4 years. It's really an awful idea to begin with though. You should be escaping data for the context of HTML only when you insert that data into HTML. If you do it early, you're just corrupting your data. Misunderstanding of this can actually lead you to future security problems, not to mention a mess of a broken application. (See also: The holy grail of cleaning input and output in php?)

hpp

Express middleware to protect against HTTP Parameter Pollution attacks

This module takes multiple query string variables and prevents them from coming back as an array. This is fine if that's what you want, but having multiple of the same key in the query string is intended, and well-documented behavior that your application can use. If this is a problem, you should actually fix your application rather than relying on this module to break the standard behavior.

cors

As @jfriend00 points out, the CORS library helps you add the appropriate response headers to enable cross-origin access to data. This can be secure and appropriate, but not something you probably want to enable by default.

express-rate-limit

Basic rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset.

This can be useful, if you want rate limiting. I'd suggest doing this though at the web server level rather than messing with it in your application. There are efficient and fast modules/configurations for Nginx and similar, which are going to be able to handle this better than building it into every Node.js application you build.

TL;DR;

Understand what it is that you're protecting against, or you're absolutely doomed to be insecure no matter what modules you install. Security isn't some patch you install.

Community
  • 1
  • 1
Brad
  • 159,648
  • 54
  • 349
  • 530
  • It really seems like the OP should have done their own research on this BEFORE coming here and posting a generic, non-specific question like they did. Instead, you bailed them out and did the research for them. As you are obviously very experienced around here, I would hope you also want to teach people to do their own research before they come here. They, after they do their own research, they can ask a much more specific and meaningful question. – jfriend00 Dec 09 '19 at 06:37
  • Thanks Brad. Really appreciate your suggestions. – Shashika Virajh Dec 09 '19 at 08:09
  • @jfriend00 If I thought that this person could figure it out by simple research, I would have not answered the question in the way I did. Sure, this person could have read the README files, but as indicated in my answer, many of these modules are flawed from the beginning and generally shouldn't be used. I'm addressing the core problem/question (why not [instant security]), pointing out the issues in the various modules listed, and providing myself a question that I can link to in the future. This issue comes up regularly, and the old answer for PHP doesn't apply as often. – Brad Dec 09 '19 at 15:41
  • @Brad Thank you for your answer which is really usefull for beginners – error Dec 16 '19 at 10:46
  • @jfriend00 Like Brad said, it's not easy to find out all of this by simple research on Google. Hopefully Brad doesn't think like you – error Dec 16 '19 at 10:46
  • @error - Brad added some very interesting commentary about what people think of the techniques used in each of these packages. That was indeed useful. But, if the whole site falls down to the level of people asking questions that appear to have done none of the simple research for things that are ***easy*** to find on the internet which is what your question appears to be, then this site will become a lot less useful to a lot of people. – jfriend00 Dec 16 '19 at 16:40
  • @error - That's the direction I try to educate people to avoid. I'd suggest you read [How much research effort is expected of stack overflow users](https://meta.stackoverflow.com/questions/261592/how-much-research-effort-is-expected-of-stack-overflow-users). It covers the concept quite well. In addition to the couple top rated answers there, also see [this one](https://meta.stackoverflow.com/questions/261592/how-much-research-effort-is-expected-of-stack-overflow-users/261596#261596) that I think is particularly insightful. – jfriend00 Dec 16 '19 at 16:41
  • @jfriend00 I agree with you, users have to do some research before asking questions. But, here the question was not "how can I secure my express app".Brad did a good job, his answer is really useful – error Dec 16 '19 at 17:01
  • @error - But you have to agree that your question "looks" like you don't even begin to know which of these packages might overlap with one another which leads one to some conclusions about how much of your own research you've done. Maybe it just looks bad, but looks is all we have to go by here since that's our entire impression of your pre-question effort. I would have thought you could have said something like "Package A and package B both seem to do X. Do I need both of them?" and things like that. I actually think you would have answered most of your original question in doing that. – jfriend00 Dec 16 '19 at 17:06
  • @error - Ironically, the most useful parts of Brad's answer are not really the ones that answer the question you ask (you asked about overlap between the packages). The most useful part of Brad's answer is the commentary on the general value of each package on its own (not how it overlaps to the others). That is useful stuff to read. Anyway, I've said my piece now. I'll go see if I can find some questions to answer. – jfriend00 Dec 16 '19 at 17:08
  • @jfriend00 It wasn't me who asked the question but I guess that the author did some research to find out these packages and thanks to him, beginners could know the value of each package. But yes, I agree in global. Everyone has to read documentations before asking – error Dec 16 '19 at 17:15