13 Ways to Make Your Node Application Secure

Want to know 13 ways to make your node application secure? Vizteck is giving you a step-by-step detailed guide for it.

image

Technology

image

December 13, 2016

image

Mah Noor

image

 

Node.js is getting more and more mature, no doubt – despite this, not many security guidelines are out there. As more applications are being built on nodes, securing them is becoming increasingly important. Node provides you with better ways to avoid all the security issues that make up your application more reliable and secure.

The Node.JS community is working on fixing security issues as they arise. However, the final result depends on the developer community following the security guidelines.

In this article, I will discuss what are the best practices you should do to make your Node application secure

 

Remove ‘X-powered-by’

Security refers to your code authentication. There is no need to mention the platform you are using. Sending bits of data to the client in response to any web request is a common mistake to provide basic knowledge to the entry-level attack.

To save bandwidth in your Express application, there are two ways to disable or hide this type of information.

  1.  Just to ask Express to not add it like 

   var app=express(); 

app. disable(‘X-powered-by’);

2.  Make middleware like: 

        app.use(function(req, res, next){ 

       res.remove Header(‘X-powered-by’);

       next(); 

        });

 

Don’t Use the Deprecated Version of Express/Node

It is recommended to use the latest version of Node or Express. Many of the security issues are covered in the new releases with time. For example, Express version 2.x and 3.x are deprecated, deprecated means the functions available in this version are no longer maintained in the next releases. So, use the latest version of Node and, if you are using the previous version then migrate to the latest one.


 

Upgrade SSL to TLS

If you are using SSL (Secure Socket Layer) initially, then try to upgrade it to TLS (Transport Layer Security). Basically, it is the next step to SSL security measures. TLS ensures you transmit sensitive data, encrypted at both ends. In this way, data is encrypted before sending it over to the receiver. There are many handy tools available to get your TLS certificate to lets Encrypt is a free and open-source tool under Certificate Authority (CA).

 

Don’t Use Components with Known Vulnerabilities

Keep an eye on the security vulnerabilities by not using the component with known vulnerabilities. While adopting these options, make sure that your dependencies are secure.

 1. One better tool for handling it is Retire.js. As it scans, it lets you know where you have a dependency that has a known vulnerability.

 $ npm i -g retire 

 $ retire project 

It will highlight all the known vulnerable components in your web app. It mentions not only the node modules but any front-end libraries also.

 2. Another way is to check thoroughly by Node Security Project which gives you continuous security monitoring by just installing it on your node.

 $ npm install –global nsp 

 $ cd your-fantastic-app

 $ nsp check

3. A third way of making your app secure is by ‘using Helmet’. A helmet can help protect your app from some well-known web vulnerabilities by setting security-related HTTP headers appropriately. 

$ npm install –save helmet 

Then use this line of code in your app.js file 

var helmet = require(‘helmet’); 

app. use(helmet()); 

The helmet will save you from any issues like data validation, SQL injection, XSS, and command injection.

 

Session Management

The importance of making secure cookies is an important part of session management. Especially when we are developing a dynamic web application. This will be helpful in maintaining the state in a stateless protocol like HTTP. There are two main modules of cookies that are built into the Express 3. x version, the modules are;

  1. express-session (saves session id not the session data on the server)
  2. cookie-session (rather than a session key, it serializes the entire data in cookies)

The main difference between these two is the way they save data on the server.

 

Use Cookie Securely

To make cookies secure, make sure

         1. Set Cookies Security Options Appropriately To make cookies secure, make sure

secure: that ensures cookies are sent over HTTPS.

2. httpOnly helps against cross-site scripting attacks. It also makes sure not to send cookies over any client JavaScript domain.

3. domain: that takes the domain of the cookie or URL that is being requested.

4. path: If the domain match then indicates the path of the cookie and sent the cookie in the request.

5. expires: Set an expiration date.

Like, for example, set the options as below cookie:{ secure: true, httpOnly: true, domain: ‘example.com’, path: ‘foo/bar’, expires: expiry date }

 

code 1.PNG

png 1.PNG


Don’t use the default session cookies name Using the default session cookies name will make it open for attackers, So always use the generic session cookies name. Like, if you are using the ‘express-session’ module, use it as var session = require(‘express session); app. set(‘trust proxy’, 1); // trust first proxy app. use( session({ secret: ‘s3Cur3’, name: ‘sessionId’, }) );

 

Don’t pollute Global Space

There are the functions like eval() that open up your code for injection attacks and make your Node application insecure. Just make sure to not use eval() or its friends like set timeout (code,2) or setInterval(code,2) methods that use eval() in the background.

 

Use Strict Mode

Strict mode is a way to opt into a restricted variant of JavaScript. It intentionally has a different meaning than normal code. It eliminates some JavaScript errors and also fixes the error reported by the JavaScript engine. It let’s throw all the errors and declare variable properly. When you are using “strict mode” in your chrome browser,

  1. Your eval() is no more insecure now.
  2. No access to caller and arguments.

 

Static Code Analysis

Do static code analysis in your application, as it is the most crucial thing you should do for your application security. It will catch many problems at an early stage. For this,

  1. Commit hooks in (D)VCSes.
  2. Use JSHint, JSLint or ESLint.
  3. Create a policy for static code.
  4. Update and recheck the policy regularly.

 

Don’t Log Sensitive Information

When you are going to deploy your front-end application, never expose API credentials or any sensitive information in your source code. Because that information is readable to anyone. To mitigate this type of issue and to make sure that data will not accidentally expos.

  1. Make use of pull requests.
  2. Check out our regular code review.

 

Don’t Run Node Process as Root

To run the node application on port 80 or 443, people often run Node applications with superuser rights. Because of using Sudo node app.js, your system will be wholly affected. So, it is recommended to set up an HTTP server/proxy to forward the request. This request can be from any web server like Nginx and Apache.

 

Use CSRF Module

Cross-site Request Forgery is an attack that forces the user to execute unwanted actions on his web application. To mitigate this kind of attack adds the csrf module in your code. For this, Install csrf over your npm using: $ npm install csrf Moreover then, use it where you want like: var Tokens = require(‘csrf’).

 

Conclusion

These ways are highly influenced and maintained by OWASP. If you want to make your Node application secure, then follow the ways above-mentioned exploits.

Vizteck Solutions always makes sure all the compliances are in our app development phase. Our goal is to deliver more secure and valuable code to clients. For this, our developers always take care of all the security risks in any solution we are delivering.

Our client projects, beakun.com and serviceguru.com are the deliverables that are blazingly fast, secure, and can scale very easily with users because of the MEAN stack and AWS cloud.