But is it secure?
What Is Node.js and How It Works
This program is often implemented through a series of third-party libraries and frameworks that allow us to define and execute our database connections, processes, authentication, user sessions, and anything else that we may want our application to do.
While Node.js itself has its own set of security vulnerabilities such as NPM phishing and regular expression Denial of Service attacks, the real threat actually lies in the jigsaw way your application gets built.
For example, Express.js is often used to provide server-side logic. It is a backend framework that is used by developers to create APIs for frontend consumption. Potential security vulnerabilities can arise when APIs are not secured during the delivery process.
One way to prevent this is to implement TLS (Transport Layer Security) and encryption to deter common and easy hacks such as packet sniffing and man-in-the-middle attacks. The TLS ensures that the connection between client and server is always secure, and it is the next progression from SSL (Secure Socket Layer) encryption.
Securing Your Express.js in code
One way to enforce security on your data, server, and code is to use HTTPS. By default, Node.js sends content over HTTP. Using the HTTPS module, you can force communication to be done over a secure channel with the client. Here is an example of how you can implement it:
To create a certificate required by TLS, you can do so using a tool called Certbot. The installation process may be different, depending on what the server is running on. For an Nginx installation on Ubuntu 16.04 (xenial), you’ll need to install snapd. snapd is a dependency bundling program.
To do this, open up the command line and run the following:
This will install the latest version of snapd.
The next step is to remove any certbot-auto and Certbot OS packages to prevent conflicts from occurring. Depending on your OS package manager, the exact command to do this can range. Here are a few examples:
Once any preloaded installation is removed, you can install the certbot version that gives you more control over the certificate generation. Here is the command for it:
Now it’s time to set the certbot command so that it will run.
There are two ways you can run certbot. The first is to get a certificate and have certbot deal with your Nginx configuration.
Or if you just want to get the certificate and do your own Nginx configuration, run this command instead:
Every certificate generated and installed by certbot has an expiration time and date. To check the automatic renewal, use the following command:
The last step to this is to confirm that certbot worked by navigating to the https:// domain in your browser or via postman API call.
Increase Your Encoding Scope
While HTTPS and transporting your data over a secure connection helps, it is not the only technique that can be used to create digital armor for your Node.js application.
You can use escape-html to encode the HTML content you receive. This automatically escape strings and prevents cross-site scripting.
To install escape-html into your project, use the following command:
To use in your Node.js project:
If you’re using Node.js as part of a MEAN or MERN stack, it’s also good practice to escape any CSS that you may receive. While CSS itself may seem harmless, it is another space where special characters can find their way into your backend.
One good Node.js module is js-string-escape. Here is how you can install it:
Here is an example of how to use it:
Helmet and Session Cookies
Here is a basic installation and usage of Helmet with express.js:
By default, Express has default cookie settings that helps you get started quickly in your development process. However, anything that remains in its default state will always pose a security risk. Why? Because the knowledge and information concerning its settings and potential ways to hijack it is available on the Internet.
The quick and easy way to prevent this is to manually configure your session cookies by doing the following:
- set your secret and salt it
- give your application a new key
- flag your app for httpOnly to prevent hijacks from non http sources
- set secure to true to force acceptance from TLS/SSL requests only
- set the domain to where the cookie is expected to come from
- set the path from where it is acceptable from the application’s domain
- and finally, when the cookie expires.
Here is the code sample of how to configure your cookie in Express.js:
The answer to this is no.
Like other backend programming languages such as Java and C++, we still need to install a series of security layers to prevent hijacks and data leaks from occurring.
The major vulnerabilities do not lie in Node.js or Express.js — but rather how it gets implemented. It doesn’t matter what language or backend framework you end up using, if defaults are left as defaults, you are inviting malicious users to your data.
Node.js has the capabilities to secure your application on multiple levels, making it a good choice where security is concerned.