Chapter 15. Guards at the Gate
Security in web applications goes beyond ensuring that people don’t have access to the application server. Security can be complex, and even a little intimidating. Luckily, when it comes to Node applications, most of the components we need for security have already been created. We just need to plug them in, in the right place and at the right time.
In this chapter, I break down security into four major components: encryption, authentication and authorization, attack prevention, and sandboxing:
- Encryption
Ensures that data transmitted over the Internet is safe, even if it is intercepted midroute. The only receiver that can actually decrypt the data is the system that has the proper credentials (typically a key). Encryption is also used for data that must be stored confidentially.
- Authentication and authorization
Consist of the logins we get whenever we need to access protected areas of an application. Not only do these logins ensure that a person has access to a section of an application (authorization), they also ensure the person is who she says she is (authentication).
- Attack prevention
Ensures that someone who is submitting data via a form isn’t trying to tack on text that can attack the server or the database you’re using.
- Sandboxing
Barricades script so it doesn’t have access to the system resources—it operates only within a limited context.
Encrypting Data
We send a lot of data over the Internet. Most of it isn’t anything essential: Twitter updates, web ...
Get Learning Node now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.