O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Secure Your Node.js Web Application

Book Description

Cyber-criminals have your web applications in their crosshairs. They search for and exploit common security mistakes in your web application to steal user data. Learn how you can secure your Node.js applications, database and web server to avoid these security holes. Discover the primary attack vectors against web applications, and implement security best practices and effective countermeasures. Coding securely will make you a stronger web developer and analyst, and you'll protect your users.

Bake security into your code from the start. See how to protect your Node.js applications at every point in the software development life cycle, from setting up the application environment to configuring the database and adding new functionality. You'll follow application security best practices and analyze common coding errors in applications as you work through the real-world scenarios in this book.

Protect your database calls from database injection attacks and learn how to securely handle user authentication within your application. Configure your servers securely and build in proper access controls to protect both the web application and all the users using the service. Defend your application from denial of service attacks. Understand how malicious actors target coding flaws and lapses in programming logic to break in to web applications to steal information and disrupt operations. Work through examples illustrating security methods in Node.js. Learn defenses to protect user data flowing in and out of the application.

By the end of the book, you'll understand the world of web application security, how to avoid building web applications that attackers consider an easy target, and how to increase your value as a programmer.

What You Need:

In this book we will be using mainly Node.js. The book covers the basics of JavaScript and Node.js. Since most Web applications have some kind of a database backend, examples in this book work with some of the more popular databases, including MySQL, MongoDB, and Redis.

Table of Contents

  1.  Acknowledgments
  2.  Preface
    1. Who Should Read This Book?
    2. What’s in This Book?
    3. Online Resources
  3. 1. Meet Your Tools
    1. Meet Node.js
    2. Meet JavaScript
    3. Wrapping Up
  4. 2. Set Up the Environment
    1. Follow the Principle of Least Privilege
    2. Start with the Basics: Secure the Server
    3. Avoid Security Configuration Errors
    4. Wrapping Up
  5. 3. Start Connecting
    1. Set Up Secure Networking for Node.js Applications
    2. Decide What Gets Logged
    3. Don’t Forget About Proper Error Handling
    4. Wrapping Up
  6. 4. Avoid Code Injections
    1. Identify Code Injection Bugs in Your Code
    2. Avoid Shell Injection in Your Application
    3. Wrapping Up
  7. 5. Secure Your Database Interactions
    1. Start with the Basics: Set Up the Database
    2. Separate Databases for Better Security
    3. Identify Database Injection Points in Your Code
    4. Avoid SQL Injection Attacks
    5. Mitigate Injection Attacks in NoSQL Databases
    6. Wrapping Up
  8. 6. Learn to Do Things Concurrently
    1. A Primer on Concurrency Issues
    2. Ways to Mitigate Concurrency
    3. Concurrency with MongoDB Explained
    4. Concurrency with MySQL Explained
    5. Wrapping Up
  9. 7. Bring Authentication to Your Application
    1. Store the Secret in a Safe Place
    2. Enforce Password Strength Rules on Your Users
    3. Move the Password Securely to the Server
    4. Deal with the Fact That Users Will Forget
    5. Add Other Authentication Layers for Better Security
    6. Wrapping Up
  10. 8. Focus on Session Management
    1. Set Up Sessions for Your Application
    2. Anonymize the sessionID Used
    3. Let the Session Die, aka Set a Time-to-Live
    4. Secure the Cookies so No One Can Steal Them
    5. Re-create the Session When the User Logs In
    6. Bind the Session to Prevent Hijacking
    7. Wrapping Up
  11. 9. Set Up Access Control
    1. Access Control Methods
    2. Missing Function-Level Access Controls in Your Code
    3. Don’t Use Insecure Direct Object References
    4. Wrapping Up
  12. 10. Defend Against Denial-of-Service Attacks
    1. Recognize Denial-of-Service Attacks
    2. Avoid Synchronous Code in Your Application
    3. Manage How Your Application Uses Memory
    4. Avoid Asymmetry in Your Code
    5. Wrapping Up
  13. 11. Fight Cross-Site Scripts
    1. Recognize Different Types of XSS
    2. Prevent XSS Through Configuration
    3. Sanitize Input for Reflected/Stored XSS
    4. Sanitize Input for DOM XSS
    5. Wrapping Up
  14. 12. Avoid Request Forgery
    1. Follow the Logic to Protect Against CSRF
    2. Synchronize Your Tokens as Part of CSRF Protection
    3. O Request, Where Art Thou From?
    4. Avoid Setting Up Common CSRF Pitfalls in Your Code
    5. Wrapping Up
  15. 13. Protect Your Data
    1. Understand Your Application’s Data Flow
    2. Protect the Client Application and Data
    3. Securely Transfer Data in Your Application
    4. Secure the Data Stored Within Your Application
    5. Wrapping Up
  16. 14. Secure the Existing Codebase
    1. Perform a Risk Assessment First
    2. Test Your Application’s Code Quality
    3. Analyze Your Application’s Data Flow
    4. If Nothing Else, Use a Helmet
    5. Clean the Modules You Use in Your Code
    6. Test Your Application Security Thoroughly
    7. Wrapping Up
    8. Where to Go from Here
  17.  Bibliography