Express - Production Best Practices: Security

-


Security best practices for Express applications in production include:


  •  Don’t use deprecated or vulnerable versions of Express
  • Use TLS
  • Use Helmet
  • Use cookies securely
  • Prevent brute-force attacks against authorization
  • Ensure your dependencies are secure
  • Avoid other known vulnerabilities
  • Additional considerations



  • Don’t use deprecated or vulnerable versions of Express

Deprecated or outdated versions of Express 2.x and 3.x are no longer maintained. Security and performance issues won’t be fixed. Do not use them! If you haven’t moved to version 4.If you are, update to one of the stable releases, preferably the latest.


As a developer, you absolutely migrate to Express 4. This version is a revolution! It is quite different in terms of the all aspects.


  • Use TLS

If your app deals with or transmits sensitive data, use Transport Layer Security (TLS) to secure the connection and the data. This technology encrypts data before it is sent from the client to the server, thus preventing some common (and easy) hacks. 


  • Use Helmet
To secure HTTP headers, you can make use of Helmet.js – a helpful Node.js module. It is a collection of 13 middleware functions for setting HTTP response headers. 

Some examples include:

helmet.contentSecurityPolicy
helmet.hsts
helmet.frameguard

In particular, there are functions for setting Content Security Policy, handling Certificate Transparency, preventing clickjacking, disabling client-side caching, or adding some small XSS protections.

Install Helmet like any other module:

npm install --save helmet


Then to use it in your code:

const helmet = require('helmet')
app.use(helmet())


By default, Express.js sends the X-Powered-By response header banner. This can be disabled using the app.disable() method:


app.disable('x-powered-by')


This header can be used to detect that the application is powered by Express, which lets hackers conduct a precise attack. Surely, X-Powered-By header is not the only way to identify an Express-run application, but it is probably the most common and simple one.


To protect your system from HTTP parameter pollution attacks, you can use HPP

npm install hpp --save




  • Use cookies securely

In Express.js 4, there are two cookie session modules:

  • express-session (in Express.js 3, it was express.session)
  • cookie-session (in Express.js 3, it was express.cookieSession)
The express-session module stores session ID in the cookie and session data on the server. The cookie-session stores all the session data to the cookie.Is the main difference between these two middlewares.


Besides, you should set cookie security options, namely:

  • secure
  • httpOnly
  • domain
  • path
  • expires
If “secure” is set to “true”, the browser will send cookies only via HTTPS. If “httpOnly” is set to “true”, the cookie will be sent not via client JS but via HTTP(S). The value of “domain” indicates the domain of the cookie. If the cookie domain matches the server domain, “path” is used to indicate the cookie path. If the cookie path matches the request path, the cookie will be sent in the request. Finally, as the name itself suggests, the value of “expires” stands for the time when the cookies will expire.

for example using express-session middleware:

const session = require('express-session')
app.set('trust proxy', 1) // trust first proxy
app.use(session({
  secret: 's3Cur3',
  name: 'sessionId'
}))


for example using cookie-session middleware:

const session = require('cookie-session')
const express = require('express')
const app = express()

const expiryDate = new Date(Date.now() + 60 * 60 * 1000) // 1 hour
app.use(session({
  name: 'session',
  keys: ['key1', 'key2'],
  cookie: {
    secure: true,
    httpOnly: true,
    domain: 'example.com',
    path: 'foo/bar',
    expires: expiryDate
  }
}))


  • Prevent brute-force attacks against authorization

A brute force attack is the simplest and most common way to get access to a website or a server. The hacker (in most cases automatically, rarely manually) tries various usernames and passwords repeatedly to break into the system.

These attacks can be prevented with the help of rate-limiter-flexible package. This package is fast, flexible, and suitable for any Node framework.

To install, run the following command:

npm i --save rate-limiter-flexible
yarn add rate-limiter-flexible



  • Ensure your dependencies are secure
No doubt, npm is a powerful web development tool. However, to ensure the highest level of security, consider using only the 6th version of it – npm@6. The older ones may contain some serious dependency safety vulnerabilities, which will endanger your entire app. Also, to analyze the tree of dependencies, use the following command:

npm audit


npm audit can help to fix real problems in your project. It checks all your dependencies in dependencies, devDependencies, bundledDependencies, and optionalDependencies, but not your peerDependencies.




Another tool to ensure dependency safety is Snyk. Snyk runs the application check to identify whether it contains any vulnerability listed in Snyk’s open-source database.

 

Step 1. Install Snyk

npm install -g snyk
cd your-app 

Step 2. Run a test


snyk test

Step 3. Learn how to fix the issue


snyk wizard


Wizard is a Snyk method, which explains the nature of the dependency vulnerability and offers ways of fixing it.


  • Avoid other known vulnerabilities
If you want to secure your app then you need to keep eye on Keep an eye out for Node Security Project or Snyk advisories that may affect Express or other modules that your app uses. In general, these databases are excellent resources for knowledge and tools about Node security.

  • Additional considerations

  1. Always filter and sanitize user input to protect against cross-site scripting (XSS) and command injection attacks.
  2. Defend against SQL injection attacks by using parameterized queries or prepared statements.
  3. Use the open-source sqlmap tool to detect SQL injection vulnerabilities in your app.
  4. Use the nmap and sslyze tools to test the configuration of your SSL ciphers, keys, and renegotiation as well as the validity of your certificate.
  5. Use safe-regex to ensure your regular expressions are not susceptible to regular expression denial of service attacks.






Comments

Post a Comment

Popular posts from this blog

Angular Best Practices and Coding Standards: A Guide for Developers

-
Image
  Angular Best Practices and Coding Standards: A Guide for Developers Angular, a powerful and widely used front-end framework, empowers developers to build robust and scalable web applications. However, harnessing its full potential requires adherence to best practices and coding standards. In this blog, we'll explore essential Angular best practices and coding standards to help developers write clean, maintainable, and efficient code. 1. Follow the Angular Style Guide: Angular provides an official style guide that outlines conventions for formatting, naming, and organizing code. Adhering to this guide ensures consistency across projects and enhances collaboration among developers. 2. Module Organization: Feature Modules: Organize your application into feature modules based on functionality. Aim for a flat structure with a dedicated module for each feature. Shared Module: Create a shared module for components, directives, and pipes used across multiple modules. Import the shared mo...
Read more

Top 7 ways to use Interceptors in Angular

-
  Top 7 ways to use Interceptors in Angular It Intercepts and handles an HttpRequest or HttpResponse. Most interceptors convert the outgoing request before passing it on to the next interceptor in the chain. Handle (transformed rake). An interceptor can also alter the response event stream by applying additional RxJS operators to the stream returned by the next.take care (). An interceptor may rarely fully handle the request and create a new event stream instead of invoking nextHandle(). This is acceptable behavior, but be aware that further interceptors will be skipped altogether. interface HttpInterceptor {     intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>>   }   It is rare but valid for an interceptor to return multiple responses on the event stream for a single request. 1. Authentication And first on the list is authentication! It is just so fundamental for many applications that we have a pro...
Read more

How to SSH AWS EC2 instance?

-
Image
 How to SSH AWS EC2 instance? 1.2.1. We are going to use putty to SSH into EC2 1.2.2. Download Putty and Install (https://www.putty.org/) 1.2.3. To connect using Putty we required .ppk file. 1.2.4. Let’s create .ppk file using .pem file generated in Step 1.1.5 1.2.5. Click on PuTTYgen -> File > Load Private Key -> select .pem file created in Step 1.1.5 -> Save Private Key -> Yes -> Save create ppk file in secure location 1.2.6. Open 1.2.5. Click on PuTTYgen -> File > Load Private Key -> select .pem file created in Step 1.1.5 -> Save Private Key -> Yes -> Save create ppk file in secure location 1.2.6. Open Putty 1.2.7. Enter Hostname as EC2 public IPv4 DNS (ubuntu@hostname as Ubuntu is default username) 1.2.8. Expand SSH > Auth and select Private key file for Authentication (.ppk file generated in 1.2.5) 1.2.9. Click on Open to start SSH 1.2.10. Enter sudo su – to get root access
Read more