Node.js has been around for a while already, strengthening the JavaScript everywhere doctrine. It is now widely used by various companies, including some market giants, such as Uber, PayPal, and Netflix, growing to be a viable alternative to Java or PHP. But as it’s relatively easy to compare these technologies in terms of their performance or scalability, it doesn’t seem to be that easy to compare their security. Or does it?
Being a JavaScript creation, Node shares some safety issues with JS and other platforms. While JavaScript is client-side, Node, being executed server-side, presents some vulnerabilities to different threats. Moreover, even though the core of Node.js is secure, the use of third-party components may result in additional risks. Reusable software packages, issued by entities other than the original vendor, are useful but risky. The way such components are configured, installed and deployed should require additional measures to secure web applications.
Is Node safe?
Can we explicitly state that Node.js is safe? Not really. Neither are elevators, cars, planes, or even emails. There are no 100% bullet-proof email providers, offering absolutely safe services. But there are various options that enhance the safety of your correspondence.
As any other human-made technology, programming languages and environments present advantages and threats. Most technologies can be made as secure as possible with the proper use of certain principles, and Node.js is not an exception. In this article, we’ll focus on the best Node.js safety enhancing practices.
When, how and why use Node.js for your backend
What are the most common security issues of Node.js?
Node.js is perceived by some to be a security threat itself. The main reason might be the lack of default error handling, caused by platform construction. This results in the possibility of server turnoff due to an error resulting in application malfunctioning.
Besides typical web application security issues, such as cross-site scripting, cross-site request forgery, security misconfiguration, unvalidated redirects and forwards, the most common Node.js threats include problems specific to this technology like phishing in NPM (malicious modules of similar names) or Regular Expressions DoS.
Lock and load, threats ahead. Node.js security vulnerabilities
Threats for web applications can emerge from various directions. The internet is not a safe place for fragile applications, but a wide range of good practices, beneficial components, and precautions adds up to Node apps’ security.
Here come 13 Node.js safety enhancing practices answering some of its biggest threats:
1. Don’t stick to the old versions of Express
According to Node.js User Survey Report 2018 Express is the most popular web application framework for Node.js. Be careful, though! While Express itself does not have much to do with apps’ security (it’s simply not its role), its older versions may be a part of the threat. To ensure the security of built applications, only the up-to-date and maintained versions should be used.
2. Install Helmet
If you choose to use Node.js with the Express framework, Helmet is a must have! It is a collection of smaller middleware functions improving security-related HTTP headers, including preventing cross-site scripting attacks, man-in-the-middle attacks, and enforcing secure (HTTP or SSL/TLS) server connections.
3. Use TLS (Transport Layer Security)
TLS is an encryption technology that prevents common attacks. Recommended especially when dealing with sensitive data, as TLS secures both the connection and data transmitted.
4. Prevent XSS (Cross Site Scripting)
Cross Site Scripting is one of the most popular types of threats Node.js is vulnerable to. Simply put, it enables attackers to inject client-side scripts into web pages viewed by other users, which may lead to data leaks. Preventing XSS attacks is possible by output encoding and the use of tools like the Jade engine with built-in encoding structures.
5. Use Anti-Forgery Tokens
Preventing Cross Site Forgery Requests (CSFR) requires the use of Anti-Forgery Tokens. Anti-CSRF tokens accompany the user’s request, prevent one-click attacks and are used to validate the request’s authenticity by the server.
6. Add csurf package to your Node.js code
The module serves as a CSRF protection middleware for token creation and validation. Csurf helps to prevent CSRF attacks, disabling requests on behalf of application users without them noticing.
7. Set cookie security options
Using the default cookie session name counts as risky behavior as those may threaten your application. The wiser solution is to use one of the middleware cookie session modules: cookie-session and express-session.
8. Disable X-Powered-By header
Disabling an X-Powered-By header is a simple yet efficient method to avoid one of the common Node.js security risks caused by the header being used by attackers. X-Powered-By sent in each request gives hackers information what technology is used, enabling exploiting its weaknesses. Disabling the header hides information on what powers the server in use.
9. Use supervisor programs
Supervisors monitor the code and once an error occurs and the program crashes, they restart it. What is important, supervisors such as pm2, forever, and nodemon can also restart programs when files change. Using tools that orchestrate the code contributes to a better app construction and its overall threat resistance.
10. Split your app into microservices
As the project grows over time, it gains new users and sets of additional features. Growth can result in a challenging size, which also affects security. Microservices are self-contained units making up big applications. Splits enable isolation, better scalability, and individual testing of separate elements.
11. Use linter security rules
Various linter plugins enable finding possible Node.js security issues in the early stage of development before deploying to production. Tools like ESLint not only enforce cleaner code but also help to eliminate potentially threatening mishaps.
12. Use NPM, the Node Package Manager
NPM enables better control of dependencies and more efficient workflow. Additionally, the NodeSource’s Certified Modules service that was released 2 years ago checks code quality, licenses, and exposure to threats.
13. Arm your app with the Cloudflare WAF (Web Application Firewall)
Cloudflare WAF is one of the firewalls that contribute to enterprise-scale web applications safety. It protects applications from cross-site scripting, cross-site forgery requests, and SQL injection attacks.
Node.js safety practices – summary
Is Node.js safe after all? In the end, it’s not only about what tool or technology you use but HOW you do it. Possessing the most advanced kitchen aid doesn’t make you a master chef in a snap. The key to success, in this case – safety, is expertise. The technology is just a tool in developers’ hands, and most criticism towards Node.js rather applies to the ways it is used and not to what it is. Certain issues occur because of what the platform is used for, not solely because of its character. Node.js, just like other languages, is secure when developed with care and subject to best practices.
Find out how to get a cross-functional tech team to work on your project
