Node.js Security Risks & Solutions — Part 2

Hello, welcome to part 2 of the Node.js best practices. Let me right away jump into talking about what security threats can occur and how you can avoid them.

Let’s also understand the fact that, we might not be able to stop every attack that attackers might initiate to harm our apps, but we can ensure that we are watchful of what we are building…

1. Use security linters

Let’s catch and act on common security vulnerabilities while writing the code itself…

For that you can use linter plugins which can automatically test source code, identify faults, and alert the developer of the potential vulnerability within the app. There are JS linting tools which you can use within Node.js such as JSHint, ESLint and TSLint.

2. Do you store plain text secrets in your config files?

If yes, then stop doing that from now on…

Writing secure code is good but it will be of no use if you store plain text secrets in your config files. This is not a good and recommended practice. You must use some secret management solution like “Vault” so that your secrets are not easily readable. If you don’t want to use it, at least encrypt your secrets when you store them and keep rotating them on a regular basis

3. Implement HTTP response headers

I’ve observed that the security of HTTP headers is often ignored by developers, but remember — it has the potential to leak sensitive information to attackers.

You can use CORS ( Cross-Origin Resource Sharing) which is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. Other than this you can use an express middleware called “Helmet” which can implement 11 different header-based security mechanisms with just one line of code.

import helmet from “helmet”;
// …
app.use(helmet());

4. Run Node.js as a non-root user

Running the Node.js application as a root user with unlimited privileges is a common thing. Isn’t it?

But, if used incorrectly, it can open a box of privacy and security threats — simply because the attackers who run any script on the server will get access to these unlimited privileges.

So, it is recommended to use Node.js as a non-root user.

5. Make your build pipeline fluid and strong

When you leave the web application or servers unprotected or have weak security standards in place, security configuration vulnerabilities are bound to happen.

Due to this, the whole app ecosystem, i.e., app containers, database, server, etc., can come under serious security threat. And the primary reason for these threats is weak build pipelines.

A pipeline is a process that drives development through a path of building, testing, and deploying code, also known as CI/CD (continuous integration and continuous deployment).

Such build pipelines can be an entry point for security misconfiguration attacks. So, by making the build pipeline robust and fluid, you can protect your Node.js web application from any type of security vulnerability.

6. Make sure that the packages are up to date

Even if you write the best codes in the world, any third-party code you use, directly or indirectly, can cause security issues.

To ensure the latest security updates, it is highly recommended that all third-party packages are kept up-to-date, irrespective of the framework in use. So, being aware of the 3rd party applications in your Node.js framework is important. You can use scanners like “retire.js” for scanning security vulnerabilities in the JavaScript runtime built library.

Also you can use “npm audit” which will warn you about the vulnerable packages in your app.

Having mentioned all these points, I also understand that few or even majority of them might get overlooked when we have deadlines to meet. But always remember, if you consider security at every step of the SDLC or app development life cycle, then it won’t be a daunting task. It will help you in making your application less prone to security and data threats.

What are the practices that you follow, I’d love to hear back. Let me know in the comments section.

About me:

Founder and CEO of an IT company in India, I have more than 25 years experience of in dealing with people, processes, and codes. I started online training for my students when it was not in fashion and have trained more than 1000 students/working professionals personally which has helped them to secure awesome jobs or even start their own businesses.

Check out my Udemy profile to know more about the courses that I teach.

I am also been an active corporate trainer for several years now and have been consulting with top Fortune 500/1000 companies to streamline their development projects efficiently. My goal is to share knowledge with a primary focus on advanced tools & techniques, projects, and standard programming practices to help my students understand the basics and fundamentals and make awesome technological implementations.