Best Practices for Node.js Security: Risks and Solutions
Table of Contents
This article will help you understand your security priorities and take security measures in regular practices.
Node.js security, like all other frameworks or programming languages, is prone to all kinds of web application vulnerabilities. The core of Node.js is secure, but third-party packages may require additional security measures to protect your web applications. According to this analysis, 14% of the Node Package Manager (NPM) ecosystem is affected. The indirectly affected packages are estimated to be about 54% of the ecosystem.
Why Node.js Projects Have Security Risks?
Open-source applications don’t inherit security and licensing issues from their open source components. The problem is that security testing tools like dynamic and static code analysis are ineffective at detecting open source vulnerabilities.
In order to identify open source components in Node.js, you have to analyze the package manager index files describing the dependencies. However, the index files don’t include reused open source components.
The open-source community often reuses open source projects to accelerate development, decrease time to market, and incorporate functionality. As a result, both open-source and commercial developers can introduce functions, code snippets, and methods into files. The result is that many Node.js projects include licensing terms other than the original Node.js license.
Is Node.js a Threat to Safe Application Functioning?
Some developers consider Node.js to be a security threat due to the lack of default error handling, caused by platform construction. Errors or application failures can lead to server turnoffs.
NPM phishing and regular expressions Denial of Service (DoS) is only a small percentage of Node.js security problems.
Alex Pletnov, Chief Technical Officer of KeenEthics, provides two main reasons why sometimes we can’t consider Node.js security is under high threat.
Firstly, developers can make mistakes in designing an app like allowing CSRF and cookie stealing. Secondly, developers with little expertise in Node.js can rather accuse Node.js of being unsecured than acknowledge one’s incompetence in technology. In addition, there are the usual web security issues like cross-site request forgery, cross-site scripting, unvalidated redirects, and security misconfiguration.
Open Source Components Causing Node.js Security Issues
The following table reviews some of the open-source components you can find in Node.js projects. These components consist of hidden license elements that can cause a Node.js security risk. Failure to comply with hidden open-source license elements can put a company at risk of legal actions.
Top 10 Node.js Security Risks and Their Solutions
Node.js security issues can expose you to attacks like code injection, man in the middle, and advanced persistent threats. Below is a brief review of the risks that may lead to these attacks, and possible solutions.
1. Broken access control
Usually, web apps have numerous user roles like managers, administrators, moderators, vendors. In comparison to the regular users, these roles have more privileges. Broken access control can appear in two ways, including vertical and horizontal escalation. The first way means the attacker uses the confidential data of the regular user to access administrator-level privileges. The second way may lead to a massive data leak where the attacker uses the personal data of the regular users to access the resources of other users.
OWASP rates broken access control as an easily identified, exploitable, and widespread Internet problem.
To prevent this vulnerability, every company needs a central, managed interface to document implemented access control procedures. Another good rule is to deny access to app resources by default to every user. Only legitimate users should get permission to view and modify the app resources. Also, companies should handle access control only on the server side. By conducting constant testing and auditing on access control, organizations can ensure all mechanisms work properly. Such tools as a crash test security suite, HDiv, Immuniweb Discovery, PortSwigger/Burp Suite, and Acunetix help companies get vulnerability reports and guidelines to fight threats and attacks on web servers.
Writing secure code with no injections seems to be a simple task, but many pitfalls are there. What if you (developer) use open source packages in the app and aren’t sure if they are secure.
Code injection is a form of attack when an attacker uses an input validation flaw to execute malicious code. Any app using untested code comes under security vulnerability.
In order to differentiate the secure and unsecured code, it’s best to apply techniques against code injection. You should avoid dynamic code execution in the app, like language constructs (eval) and code strings (passed to setTimeout or the Function constructor). Serialization can also be vulnerable to attacks, so you need to prevent its usage. Finally, performing dependency scanning will help you analyze and ensure the app isn’t prone to attacks related to third-party open-source components.
3. Cross-Site Forgery Requests (CSFR)
CSRF attacks force end users to execute unnecessary actions on authenticated web applications. The targets of CSRF attacks are changes in application state requests because the attacker has no way of seeing the forged request response.
Hackers can trick users into executing unnecessary actions by using social engineering techniques, like sending links via chat or email. CSRF can force state-changing requests like changing email addresses and then transferring funds. For administrative users, CSRF can compromise the entire web application.
Preventing CSRF in Node.js requires the use of Anti-Forgery Tokens. Anti-CSRF tokens are used to monitor and validate the authenticity of user requests, and prevent one-click attacks.
4. Default cookie session name
Session cookies enable websites to identify users. Any action you do on the website is stored as a cookie. Shopping carts in e-commerce sites are the most common example of this functionality.
The session cookie remembers your selected items on the e-commerce site. As a result, the shopping cart will have these items when you are ready to check out. The new page won’t recognize your past activities on other pages without session cookies.
Using default cookie names is risky because attackers can easily identify these names and threaten your application.
The solution is to use one of the middleware cookie session modules like express-session.
5. X-Powered-By header
X-Powered-By is a common non-standard HTTP response header. Some scripting technologies include this response by default in the header. Servers have the option to disable or change X-Powered-By response to prevent hackers from targeting a particular technology.
X-Powered-By reveals information about the technology used in an app. As a result, hackers can use X-Powered-By to exploit Node.js security weaknesses.
You have to hide the information about the server technology by disabling this header.
6. Make a regular check of apps for vulnerabilities
Since the Node.js ecosystem comprises various modules and libraries to install, this produces a security issue. Using the code someone has written or used before, you can never be sure that the code is secure.
Automated vulnerability scanning will help you detect dependencies with common Node.js security vulnerabilities. You can also use npm audit for primary control or opt for valuable tools such as Retire.js, OWASP Dependency-Check, Acutinex, and WhiteSource Renovate.
7. Conduct strong and complete authentication
Another common vulnerability is an insufficient, weak, or unsteady authentication system. You can execute and bypass this vulnerability by implementing the suggested solution below.
Many existing solutions allow you to improve authentication. Some of these tools are Firebase Auth, OAuth, and Okta. Also, you can adopt native solutions. It would be best to use Scrypt or Bcrypt instead of a built-in crypto library when making passwords. Then, 2FA authentication, along with modules like Speakeasy or node-2fa, is another good solution for session processing that can significantly enhance your app security to a new level. Finally, you need to limit failed login attempts, and in case of an incorrect username or password, you should never notify users about this.
8. Limit payload size
When the body payload is too big, your single thread works harder in processing it. It allows attackers to break servers with a small number of requests.
You can either limit the size of incoming requests or configure express body-parser so that it accepts only small-size payloads. If you don’t consider this solution, your app will handle large requests without accomplishing other critical work. In turn, it can lead to low performance and many vulnerabilities to DO.
9. Avoid data leaks
You need to always control what comes from the front-end and what you will send to it. On the one hand, you can easily send the required information to a concrete object to the front-end and filter the displayed information there. On the other hand, it’s an excellent chance for a hacker to get the confidential data sent from the back-end.
This solution requires more work, but it’s worth it. A good practice is to send only needed information and control everything you want to show. Since all confidential data is easily accessible via browser developer console, you need to retrieve everything from the database to prevent data leaks.
10. Establish logging and monitoring
You can notice some hackers without logging in. However, some of them prefer to remain undetected for an extended period.
So, when you monitor logs and metrics, it’s far easier for you to spot wrong matters and prevent breaching your data. Only by establishing logging and monitoring can you understand the source of weird-looking requests: your app, a third-party API, or an attacker.
Our Experience and Successful Projects
These days, Node.js has proven to be one of the most popular platforms on the web. KeenEthics is among those who frequently implement Node.js in developing projects for our clients. One of the successful projects where we adopt the technology is Bookmaker.
When working out Bookmaker, KeenEthics solved such challenges as:
- inconsistent design where we conducted UX audit to evaluate technological constraints and determine the most critical design solutions;
- platform usability where we built an adaptable and transparent system and excluded all barriers in using the product for different audiences;
- structuring where we simplified the writing process of the book and systematized the workflow;
- device compatibility where we created a responsive design;
- data safety where we added validation for endpoints, improved error handling, minified code, added access checkers for each role, used OWASP standards, checked CORS policy, and analyzed npm vulnerabilities;
- the functionality of MS Word or Google Docs we recreated in a short period of time.
Since we constantly develop and grow, we try to implement effective practices to achieve security in development, including security in Node.js.
In this article, we’ve reviewed some critical questions related to Node.js that are topical in 2022 and upcoming years. We analyzed why the risks exist in Node.js projects, components causing security issues, top security risks, and their solutions. Along with that, we discussed our experience in Node.js and one of many projects we developed using mentioned technology.
Node.js security requires a deep dive into the actual source of a third-party package. We recommend you learn more about the open-source package dependencies of your applications and the hidden elements of their licenses. In addition, you can also address the Node.js vulnerability concerns by leveraging dedicated security tools and audits.
It’s not always obvious what needs to be done when security issues appear. For this reason, use our advice, and you’ll be able to prevent vulnerabilities in your projects. Since we’ve not presented the ultimate list of node.js security best practices, we suggest you view the full node.js security guide. We’ve presented our list of best practices to help you understand your security priorities. We hope you find this article helpful. However, if you still have some questions, talk to us, and we’ll help you make security a best practice.
Do you need help ensuring security of your Node.js app?
KeenEthics is amongst the leading Node.js development company with a team of Node.js developers delivering high-quality solutions. We have the high professional expertise to help you prevent security risks from conception to production. Contact us and bring your idea to life.
Thank you to Gilad David Maayan for contributing this article. Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp, and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.