O'Reilly logo
live online training icon Live Online training

Secure JavaScript with Node.js

Defensive coding practices for secure Node apps

Chetan Karande

Being lightweight and efficient, Node.js has rapidly become a platform of choice for building fast, scalable, and I/O intensive modern applications. Although there’s a widespread Node.js adoption for diverse use cases, security is arguably the least-explained topic and one of the top concerns for Node.js developers today.

In this hands-on, in-depth exploration of the security best practices for the Node.js, participants will dive into Node.js specific idiosyncrasies, JavaScript language constructs, and related security implications. Along the way, participants will gain practical knowledge essential for building secure and resilient Node.js applications.

What you'll learn-and how you can apply it

By the end of this live, hands-on, online course, you’ll understand:

  • Node.js and JavaScript runtime constraints, and how to prevent Denial of Service attacks exploiting them
  • Asynchronous programming model and error handling mechanisms
  • Unsafe Node.js and JavaScript features, related security issues, and safer alternatives for them

And you’ll be able to:

  • Understand how a malicious attacker thinks about your application by finding and exploiting these vulnerabilities
  • Incorporate defensive coding practices to bake-in security in your apps from the beginning
  • Efficiently conduct a security code review of a Node.js application.

This training course is for you because...

  • You’re a developer looking to improve the security of your Node.js application
  • You work as part of a security team and want a fundamental understanding of security issues specific to the Node.js platform.


  • Familiarity and comfort with the basics of JavaScript and Node.js

Recommended preparation:

  • Verify that you have Node.js 8.x or above installed locally, as well as Visual Studio Code (or another IDE of your choice) and Git.

Recommended follow-up:

About your instructor

  • Chetan Karande is a full stack web developer, security researcher, author, and trainer. He’s the author of Securing Node Applications (O’Reilly). He’s also the project leader for the OWASP NodeGoat project, an open source platform to learn about Node.js security, and a contributor to multiple open source projects.


The timeframes are only estimates and may vary according to how the class is progressing

Opening Exercise (10 minutes)

  • Getting familiar with the hands-on lab code and pre-assessment for security issues

Node.js internal Architecture (15 minutes)

  • Presentation: Review key building blocks of a Node.js server
  • Discussion: Strengths and security weakness of the architecture choices

Node.js and JavaScript runtime constraints (40 minutes)

  • Presentation: Node.js and V8 runtime constraints and security attacks exploiting them
  • Hands-on exercise: Code review to find vulnerabilities exploiting system constraints
  • Q&A
  • Break (5 minutes)

Insecure use of JavaScript features (30 minutes)

  • Presentation: Unsafe JavaScript language features and security attacks exploiting them
  • Hands-on exercise: Code review to find vulnerabilities exploiting Insecure use of JavaScript Features
  • Q&A

Insecure deprecated Node.js methods (15 minutes)

  • Presentation: Review commonly used Node.js features that are deprecated due to security issues.
  • Q&A
  • Break (5 minutes)

Error handling for Asynchronous Programming Model (20 minutes)

  • Presentation: Node.js consistent non-blocking programming interface and error handling per asynchronous programming mechanism
  • Hands-on exercise: Code review to find incorrect/missing error handling
  • Q&A

Unsafe use of Node.js methods with access to System Resources (20 minutes)

  • Presentation: Security attacks exploiting access to system level resources.
  • Hands-on exercise: Code review to find unsafe use of Node.js methods allowing unexpected access to system resources
  • Q&A

Recap, further learning, and wrap-up (15 minutes)