{"id":16902713,"url":"https://github.com/csabapalfi/node-security-basics","last_synced_at":"2025-03-20T15:16:02.028Z","repository":{"id":141913355,"uuid":"70360404","full_name":"csabapalfi/node-security-basics","owner":"csabapalfi","description":"🔐 Node.js security basics, Sep 2014","archived":false,"fork":false,"pushed_at":"2017-03-19T19:48:49.000Z","size":2,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-25T14:21:45.323Z","etag":null,"topics":["blogpost"],"latest_commit_sha":null,"homepage":"https://csabapalfi.github.io/node-security-basics/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/csabapalfi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-10-08T22:19:15.000Z","updated_at":"2017-01-01T14:39:30.000Z","dependencies_parsed_at":null,"dependency_job_id":"63ccf813-96fa-4a03-b742-27cf05117e0d","html_url":"https://github.com/csabapalfi/node-security-basics","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csabapalfi%2Fnode-security-basics","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csabapalfi%2Fnode-security-basics/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csabapalfi%2Fnode-security-basics/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csabapalfi%2Fnode-security-basics/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/csabapalfi","download_url":"https://codeload.github.com/csabapalfi/node-security-basics/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244637098,"owners_count":20485446,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blogpost"],"created_at":"2024-10-13T18:07:34.360Z","updated_at":"2025-03-20T15:16:01.999Z","avatar_url":"https://github.com/csabapalfi.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Node.js security basics\n\n[Csaba Palfi](https://csabapalfi.github.io), Sep 2014\n\n**Node is not different.** All **humans writing code are an un-patched vulnerability**. There will always be vulnerabilities but what matters is your **process** dealing with them. Learn, fix, repeat. Here are some basic tips:\n\n## 1. know OWASP Top 10\n\n[OWASP top 10](https://www.owasp.org/index.php/Top_10_2013-Top_10) is list of the **most critical** and prevalent web application **security issues**. It's a great way to get started.\n\n[NodeGoat](https://github.com/OWASP/NodeGoat) is an express webapp with Mongo **demonstrating** OWASP Top 10 issues and addressing them. Any volunteers to write one for [hapi](http://hapijs.com/)?\n\n## 2. use security headers\n\nUtilizing **security HTTP headers can greatly improve security**. Learn about these and use them!\n\nNodeGoat uses the [helmet](https://www.npmjs.org/package/helmet) express middlewares for this. [lusca](https://www.npmjs.org/package/lusca) is another good express middleware.\n\nHapi supports a lot of these headers out of the box.\n\n## 3. ```require``` responsibly\n\nYou're responsible for the modules you ```require```. Do you at least check number of installs on npm? Do you check open issues on Github?\n\nThe [node security project](https://nodesecurity.io/) maintains a list of **known vulnerabilities for npm modules**. They provide a [command line tool](https://www.npmjs.org/package/nsp), Grunt task, an API ([example](https://nodesecurity.io/validate/crumb/2.0.0)). Closer integration with npm is coming as well.\n\n## 4. never trust user input\n\nIt's so easy to forget that users don't always [mean well](http://xkcd.com/327/). **Always validate request params and body** instead of just building mongo queries based on them.\n\nIn express make sure you understand the simple and extended queryparser and bodyParser.urlencoded options.\n\nWith hapi make sure you check out [joi](https://github.com/hapijs/joi) - their amazing **declarative validation** module.\n\nNode.js services sometimes just proxy through other backends. Make sure you only pass validated input through.\n\n## 5. prevent command injection\n\nThe ```exec``` method in the [child_process](http://nodejs.org/api/child_process.html) can be dangerous as it gets it's whole command as a String. If the wrong thing get concatenated in there it'll hurt. Just make sure you use **```execFile``` or ```spawn```** instead as **they get arguments as an array**. Read [this post](https://blog.liftsecurity.io/2014/08/19/Avoid-Command-Injection-Node.js) to learn more.\n\n## 6. do crypto well\n\nWatch out for cases when **depcrypting garbage doesn't throw error**. Have tests for these scenarios.\n\nActually, **just use HMAC** but watch out for timing attacks. ([cryptiles](https://github.com/hapijs/cryptiles) from the hapi guys has ```fixedTimeComparison``` to prevent that)\n\nCheckout [cryptopals.com](http://cryptopals.com/) if you want to deeply understand crypto.\n\n## UPDATE: More security tips\n\nSome [more security tips](http://blog.risingstack.com/node-js-security-tips/) were published by [Gergely Nemeth](http://twitter.com/nthgergo) of [RisingStack](http://risingstack.com).\n\n## Thanks\n\n[Adam Baldwin](https://twitter.com/adam_baldwin) (from [^Lift](http://liftsecurity.io)), his two talks at [LNUG](http://lnug.org/) and [London Node Security Meetup](http://attending.io/events/node-security-project-meetup) inspired this post.\n\n![](https://ga-beacon.appspot.com/UA-29212656-1/node-security-basics?pixel)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcsabapalfi%2Fnode-security-basics","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcsabapalfi%2Fnode-security-basics","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcsabapalfi%2Fnode-security-basics/lists"}