Security. A term which we use everyday but we fail to understand the depth and seriousness of it. It becomes more prominent to understand its role as a NodeJS developer because software systems are now an essential part of our daily lives.
The more abstraction added to software engineering, the harder it is to ensure security at the lowest level. But guess what? A lot of times, it’s not the lowest but the most abstract level that’s breached.
For example- WordPress, the world’s most used website development software, is exploited almost regularly, be it the core or its plugins. Unless the plugin owners or security researchers share the information, the end developer does not really know the impact of the security issues on their websites.
Here are some statistics related to Node.js web application development security:
1. The most common types of vulnerabilities in Node.js applications are cross-site scripting (XSS) and SQL injection.
2. The OWASP Top 10 list of web application security risks also applies to Node.js applications, with injection flaws, broken authentication and session management, and security misconfiguration being among the most prevalent.
3. A study by NodeSource found that 60 percent of developers aren’t confident in the security of their applications.
4. Node.js applications are particularly vulnerable to supply chain attacks, where attackers exploit vulnerabilities in third-party dependencies to compromise the entire application. A study by Snyk found that 40% of Node.js vulnerabilities were related to dependencies.
5. Node.js applications are also at risk from server-side request forgery (SSRF) attacks, which can allow attackers to access internal systems and data. A study by Contrast Security found that 25% of Node.js applications were vulnerable to SSRF attacks.
6. The use of the npm registry to install third-party packages makes Node.js applications vulnerable to typosquatting attacks, where attackers create malicious packages with similar names to popular packages in the registry. A study by Sonatype found that 17% of npm packages were affected by typosquatting.
7. The use of serverless architectures with Node.js can increase security risks, as developers may not have full visibility or control over the underlying infrastructure. A study by PureSec found that 21% of serverless applications had at least one critical vulnerability.
As you can see, the scope of vulnerabilities keeps evolving with time and security researchers have a painful time assessing and fixing those vulnerabilities.
Recent examples of vulnerabilities include:
- Broken Access Control – This vulnerability has moved up to the top spot in the 2021 OWASP Top 10 list. It occurs when an attacker can exploit access controls to gain unauthorized access to sensitive information or perform unauthorized actions.
- Cryptographic Failures – Previously known as “Sensitive Data Exposure,” this vulnerability has shifted up to the second position in the 2021 OWASP Top 10 list. It focuses on failures related to cryptography, which can lead to sensitive data exposure or system compromise. Read more about this here.
- Log4j2 Vulnerability – This is a real-life example of “Vulnerable and Outdated Components” (A06:2021). The Log4j2 vulnerability allowed attackers to execute arbitrary code on affected systems, leading to widespread exploitation. Read more here.
- Integrity Failures – A new category added in 2021, “Software and Data Integrity Failures” (A08:2021), focuses on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. Insecure Deserialization from 2017 is now part of this larger category. You can read more about this here.
While OWASP is doing their task of assisting developers with latest security bulletins and offering best practices, its our job as developers to make sure that we follow them as much as possible. With growing Internet usage by the day, security can’t be implemented in any software system as an afterthought.
Securing NodeJS applications
As a Node.js developer, here are some best practices and tools you can use to secure Node.js applications.
Implement HTTPS:
First and foremost, use HTTPS to encrypt data transmitted between the client and server. You can use tools like Let’s Encrypt to obtain free SSL/TLS certificates. This is the bare minimum that you HAVE to do to secure your website. Even for development and test servers, ensure that you are using HTTPS for securing connections. If you are not using an SSL/TLS certificate, we suggest you do this first before reading further.
Keep Node.js and its dependencies up-to-date:
Keeping Node.js and its dependencies up-to-date is important to patch known security vulnerabilities. You can use tools like npm-check-updates to easily update your dependencies.
NPM also has an ‘audit’ command. The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities.
After assessing the output of the audit command, you should run the npm audit fix
command to upgrade to the latest dependencies so that the vulnerabilities are addressed, if any.
Use a Web Application Firewall (WAF):
A WAF can help protect your Node.js application by filtering out malicious traffic before it reaches your server. At the most basic level, you should use your cloud provider’s firewall to protect your application from DDoS and other similar attacs. Some of the leading cloud providers like CloudFlare and AWS offer a free WAF service.
To further strengthen your application, you should use a firewall like NAXSI to protect your reverse proxy server. NAXSI “Nginx Anti XSS & SQL Injection” is a free, open-source and high-performance web application firewall that can be used to protect your webserver against different types of attacks like SQL Injections and Cross-Site Scripting. NAXSI works by detecting unexpected characters in the HTTP GET and POST requests.
Implement secure authentication and authorization:
Use industry-standard authentication and authorization methods such as OAuth or JSON Web Tokens (JWT) to ensure secure access control to your Node.js application. Unless there are limitations in your implementation, you should use secure web cookies for authenticating incoming requests.
We also recommend to follow the principle of least privilege. The principle of least privilege (PoLP) is an information security concept which maintains that a user or entity should only have access to the specific data, resources and applications needed to complete a required task. You should also implement multi-factor authentication like TOTP, to ensure that only authorized users are able to access the server resources.
Use security-focused Node.js packages:
There are many NPM packages which are built to secure the Nodejs web application. Helmet, for example, helps you secure your Express apps by setting various HTTP headers. XSS-Clean is another package that Sanitizes user input coming from POST request body (req.body), GET request query (req.query) and URL parameters (req.params).
If you are using MongoDB as your database, you should use Express Mongo Sanitize which searches for any keys in objects that begin with a $ sign or contain a . from req.body, req.query or req.params and either removes such keys and data or replaces the prohibited characters with another allowed character.
Implement input validation and sanitization:
A lot of data leaks happen because of poor input validation and sanitization processes. Data leaks occur because of SQL or MongoDB query injections. Ensure that all input data is validated and sanitized to prevent malicious data from being processed by your application. You can use modules like Joi or validator.js to help with input validation.
Apart from data leaks, a lot of web applications are compromised thanks to binary file uploads. In such attacks, the attackers usually upload binary files which are executable. Since many applications directly upload files in a publically accessible locations, the file uploader then directly executes the file by guessing its location on the server and opening it in the browser. To avoid such attacks, make sure to allow only certain types of files to be uploaded.
One should also use storage services like AWS S3 to keep the files inaccessible from public clients, unless requested by a pre-signed URL.
Use logging and monitoring:
Implement logging and monitoring to detect and respond to security events in real-time. Tools like Winston or Bunyan can be used for logging, and monitoring tools like New Relic or Datadog can be used for real-time monitoring.
Apart from application level logging, the actual server (Nginx, for example) should also be configured to save complete logs of all the incoming requests. You can use tools like ElasticSearch, Logstash and Kibana (ELK stack) to visualize any unwanted situations, if they occur.
For monitoring, we recommend installing Netdata on your servers to get real-time, deep-level monitoring of the complete operating system.
Conclusion:
The current state of rapid development and adoption of the Internet demands that your NodeJS applications be as secure as possible. From data leaks to impersonation, bad actors are on their toes to exploit vulnerabilities. From CPUs to Operating Systems, every part of the system has been targeted and will be targeted. As NodeJS backend developers, it’s our responsibility to make sure that your system uses the best practices as outlined in the article above.
If you are a startup and are looking for the best NodeJS development team who understands security, you are at the right place. Our team of dedicated Node developers have built some of the most scalable and secure applications for large enterprises as well as for startups. Our NodeJS have security best practices baked in. Let’s talk and get your MVP off the ground. Reach out to us at hello@citrusleaf.in today.