NodeJs Security

We need to protect our application or API from security attackes that my harmful our application.

Types Of attackes

  • Denial of service DOS-Attackes
    Dos attacks will crash / shut-down a network or our machine (Making it inaccessible) which means users are not able to access your application. Attacker accomplishes this by sending requests creating traffic to make your service slower or crash it.

  • Cross site scripting XSS attacks
    attackers inject malicious scripts into the form of a browser so that attackers can get cookies/tokens or other sensitive data.

  • Brute force attacks
    Brute force attack is a method used to obtain sensitive data such as user password or personal identification number (PIN)attackers most likely rely on automated software to generate a large number of guesses to the value of desired data.
    With Brute Force Attacks, attackers can crack encrypted data (password, PINs).

  • SQL/NO-SQL injection
    Injection makes it possible for an attacker to execute malicious SQL/NoSQL statements. With SQL/NoSQL Injection Attacks, attackers can bypass authentication, authorization, retrieve the content of the entire SQL/NoSQL database, add, modify, delete data in the database.

How to prevent these attacks from happening in your application

Preventing DOS Attacks

  • Limit the actual payload that the user can submit to your app/API service.
    Express comes with a built-in body parser that you can use.
const express = require("express");
const app = express();
app.use(express.urlencoded({ extended:  true }));
app.use(express.json({limit:"10kb"}));//body-limit is 10kb

Or we can use body-parser package and pass limit option to json options.

  • Another feature of the express is the set rate-limit you can set a maximum amount of requests for each user. after the user uses all of his requests, you can lock him out for a certain amount of time.
    first, install this package npm i express-rate-limit
const limit = rateLimit(
    max:100//number of requests
    windowMS:60*60*1000//1 hour
    message:"Too Many requests"//message to send
);
app.use("/routeName",limit);//setting limit for a specific request

Preventing XSS-Attacks

  • you can sanitize user data, on input. This is very easy to implement, and we can use another useful dependency called xss-clean. this package prevents the user from inserting HTML & scripts in the input. npm i xss-clean
const xss = require("xss");
app.use(xss());
  • Give your project special HTTP headers using helmet dependancy npm i helmet
const helmet = require("helmet");
app.use(helmet());
  • If you are using JSON Web Tokens (JWT) instead of express-session for example, you should consider storing JWT’s into the cookies. As well, make sure these cookies for JWT storing are HTTP Only!

Prevent brute force attacks

  • One of the most efficent way that helps to deal with brute force attacks is set limit to login attempts.
  • you can also use express-rate-limit dependancy it’s used for DOS and brute force attacks.
  • use a bcrypt dependancy it will encrypt. Bcrypt will encrypt sensitive data such as passwords and it will make them harder to guess.
  • use two factor of authentication

Preventing no-sql/sql injection

Either if you are working with sql/no-sql databases you should sanitize your data.
For SQL-database there is a node-sql that manage sanitizing data.
For no-sql there is a package called express-mongo-sanitize
helps for sanitizing data npm i express-mongo-sanitize

const mongoSanitize = require("express-mongo-sanitize");
app.use(mongoSanitize());

After all explaination you can see this is the last code that handle and prevent all security attacks discussed before in this articale.

// Importing Dependencies  
const express = require('express');  
const rateLimit = require('express-rate-limit');  
const helmet = require('helmet');  
const mongoSanitize = require('express-mongo-sanitize');  
const xss = require('xss-clean');
const app = express();// Helmet  
app.use(helmet());// Rate Limiting  
const limit = rateLimit({  
    max: 100,// max requests  
    windowMs: 60 * 60 * 1000, // 1 Hour of 'ban' / lockout   
    message: 'Too many requests' // message to send  
});  
app.use('/routeName', limit); // Setting limiter on specific route// Body Parser  
app.use(express.json({ limit: '10kb' })); // Body limit is 10// Data Sanitization against NoSQL Injection Attacks  
app.use(mongoSanitize());// Data Sanitization against XSS attacks  
app.use(xss()