Node.JS security
Download as PPT, PDF6 likes1,907 views
This document summarizes security best practices for Node.js applications. It recommends using the Lusca module to add common security middleware like CSRF protection and Content Security Policy to Express apps. It also stresses the importance of knowing what modules are being required, using secure defaults, escaping all output, keeping dependencies up-to-date, and being aware of templating vulnerabilities. The Node Security Project is mentioned as a resource for auditing modules and contributing patches to improve the overall security of the Node ecosystem.
Node.JS security
- 1. Node Security By Rejah Rehim
- 2. Know what you require (); NPM has ~75000 modules
- 3. Use good Security Defaults Node is a set of barebons modules Express is a barebons framework
- 4. Lusca App security module for express var express = require('express'), app = express(), lusca = require('lusca');
- 5. With Express Middleware ● app.use(lusca.csrf()); ● app.use(lusca.csp({ /* ... */})); ● app.use(lusca.xframe('SAMEORIGIN')); ● app.use(lusca.p3p('ABCDEF')); ● app.use(lusca.hsts({ maxAge: 31536000 })); ● app.use(lusca.xssProtection(true));
- 6. CSRF Trick victim's browser into making malicious requests
- 9. Lusca.csrf() Uses Token Synchronizer pattern 1) Create a random token on serverside 2) Add token to res.local 3) Dump that token in app page 4) Sends with every PUT DELETE POST request 5) Verify token is correct, Else return 403
- 10. CSP ● Content Security Policy ● Basically a white listing
- 13. Lusca.csp() app.use(lusca.csp({ policy: { 'default-src': 'none', 'script-src': ''self' https://apis.google.com' }, reportUri: '/report-violation' }));
- 14. Lusca.hsts() ● Ensures HTTPS traffic ● Prevent MITM
- 15. Lusca.xframe() ● Prevent Others from loading your app in Iframe
- 16. HTTPOnly Cookies ● Prevent Session Hijacking app.use(express.session({ secret: 'My super session secret', cookie: { httpOnly: true, secure: true } }));
- 17. Eval is evil
- 18. Node Security Project ● Audit all modules in NPM ● Contribute patches ● Educate others
- 19. Scan For vulnerable modules npm install grunt-nsp-package --save-dev grunt validate-package
- 22. Escape everithing ● Not just user inputs Backend bata as well
- 23. Underscore templates <% %> - to execute some code <%= %> - to print some value in template <%- %> - to print some values with HTML escaped
- 24. Know your templating library ● Use it properly
- 25. Update your front-end dependencies ● Retire.js npm install grunt-retire --save-dev grunt retire
- 26. Let's Recap ● Know what you're require()'ing ● Node is stil a Javascript ● Use good security defaults ● Update your dependencies – use automation
- 27. Thanks