Node JS
Security

Security and Performance.

ACCESSTING ROOT USER

Running Node.js as a non root user, If you start node js as a root user they have access to everything that the root user have access to. Remove all data, etc. Specify USER in docker.

FROM node:latest
RUN npm install
COPY . .
EXPOSE 3000
USER node
CMD ["node", "server.js"]

if you start your node js server on port 80 you will need access to root user. better you start on a different port eg: 3000.

Module loading with a variable.

// variable may have been modified by user input
const badwaytorequire = require(userInputValue);

always hard code the required

const secure = require('./some/path')

Limiting your payload size and Rate limiting.

Use express-rate-limit to limit request for small pet project. however rate limiter should not be only within the scope of you node application because it it mostly respnosible for your business logic. It should be handle in nginx.


Rate limit in nginx

Aws has a built in built in rate limiter.

Restricting How many request can come to your server at a certain time from a certain user. If a single user is sending 100 request withing e.g 2 seconds it is very suspicious most likely a dos attack.

If the body of the post request is huge for eg: 100 of MB.

rate-limit-flexible library can be used to prevent this. if you are using eslint also configure eslint-plugin-security that integrates with your linter which will scream if some vulnerable code is detected.

Authentication Limit

to prevent brut force attack disable user for about an hour if they continuosly enter wrong password in a small amout of time. eg: 10 failed attempts

use Helmet

....

Velnerability ispection.

package npm audit

github PR bump

JWT Blacklisting

If you are banking system or vulnerable system. If you have a JWT issue once, you do not have a way to revoke this JWT. for eg: lets say this JWT got compramised we cannot do anything about that because this JWT resides in client's browser which we do not have access to in this case we use JWT blacklisting..

Handle this by using access token (very short lived for eg: 3 min) and another create a refresh token and we constantly validate.

JSON schema validation.

https://www.npmjs.com/package/jsonschema (opens in a new tab)

Escaping HTML and CSS

const escape = require('escape-html');
const clean = escape(input)

ORM / ODM against injection

Security Linter

https://www.npmjs.com/package/@rushstack/eslint-plugin-security (opens in a new tab)

Event LoopStream