Securing your application in Node.js — Best Development Practices to Follow

Ronak Patel
7 min readJul 17, 2019

Application security is always on the stack, no matter what technologies and platform the app are built on. As technology advances, the vulnerability gets higher, and your company’s and customers’ sensitive data could be in the hands of intruders in just no time. Node.js is no exception to them, and application built Node.js platform can also be hacked. Node.js, on the other hand, has received a massive attention from the vendors and investors worldwide and which resulted in the platform to get exposed to security experts including hackers and cyber criminals as well. A little mistake while developing a web application can land you in big trouble.

So, before you begin the development process, think through all the vital security concerns. The tools, Programming languages, development platforms, third-party components and development practices you use have security measures and unfortunately, contain security vulnerability. Here your intelligence has to play a very crucial role in creating robust, intact and full-security-proof Node.js Web Application. There are ways which can help you make an absolutely robust and secure application, though there may be some situation when you are compelled not to compromise with the security, and that’s the winning step. I have also gone through some similar situation where I completely stopped building application spend quality hours on the internet, finding the right solutions for making a secure and safe web application.

Here’re some of our findings and Node.js web app development practices which will help you develop a fabulous application with intact security and safety. But, before we step into the Node.js development practices, we need to understand what Node.js web app development is.

What is Node.js?

Node.js is the JavaScript runtime environment which works as a platform to execute JavaScript code on the server -outside of the browser. When you are developing an application on Node.js, you have added benefits as the technology can be used for both Back-end and Front-end development. So, for one reason (choosing the right technology), you have a huge benefit, but does it stand by on all security measures? The answer could be, ‘NO’. But, that’s not impossible to achieve!

Here are Some best practices to do with NodeJS Development;

Adopt Linter Security Rules

Adopting security plugins like ESLint and TSLint such can make differences as you get instant security checks for all known vulnerabilities. We often have some mistakes in our code such as unsafe RegEx, and wrongly used eval(), use of non-literal filenames while accessing the file system within the application and much more. In short, there are plenty of security weaknesses which we unknowingly ignore during development, and these plugins help to remove them.

Node.js Authentication

Node.js authentication is the primary security state and each registered and defined user get permission to access the application as a whole. However, authentication is done in two ways: one is session-based while the other is token-based.

In session based, users, get access through the users’ credentials stored on the server. Users need to validate the account to start the session. Once the session expires, re-validation required to get into the next session.

In Token-based authentication, users need to generate a string called a token using their credentials. In this case, the users get to use the application as much time as they are associated with the server.

In both cases, the security depends on the security rules, used in the programming authentication flow. Long or infinite session (in session-based authentication) is convenient for the developers working on the application, though the risk of getting the app hacked is excessively higher in this case.

Similarly, in Token-based authentication, you can set never expire and use as long as you require. You are supposed to meet the same fate -get your app hacked in the hands of cyber criminals. You have two options left: either you avoid using infinite expiration periods or make sure the app is not getting to production.

Bonus: You can utilize some of the top noted authentications tools for validation.

· Access/JWT token

· PassportJS

· Auth Services

Precautions to Take While Error Handling

During development, you get an error message if any error occurs, and that’s common phenomena. But the care you should take is while handling the error as their chances of security breach higher during error handling as it can easily be exposed to hackers.

In the error message, you get an explanation regarding mistakes, and it is very common. But, when you response the message and improve what went wrong, you need to expose the entire log content on client-side, and that’s where the problem lies. It will be ample information for any experienced hackers to steal away sensitive data and information.

Things to Do: To avoid this, you need to make sure that this log content is not exposed to the Front-end, directly. Either run log in the background, or you can also replace the log with neutral error message while getting it opened in the Front-end.

Validation of Request

Validation of request is yet another thing to consider while developing an application on Node.js. Invalid request can hamper the performance of the Node.js application and impact on the robustness. So, you need to set measures to accept and reject a request by opting out some criteria explained here.

Data Type: You can set measures what data type has to be accepted. For example, you can set parameters to accept only numeric values. In such case, if anyone prompted with apart from the numeric value, it will be rejected.

Validation Formats: You can set validation formats, even if you have already decided the parameters. For example, you can set that only integers will pass the validation while the decimal value will be rejected.

Besides, there are plenty of tools and libraries developed by Node.js developers community to offer you create a secure application. They are free to download and use. Some of them include;

· node-validator

· express validator

· joi

Consider Securing Dependencies

Using third party modules for developing any project is in trend. There is nothing wrong in using third-party modules as you can save plenty of precious time and money. At the same time, it takes short time-to-market. However, do you check everything about the modules when selecting them for your projects? That’s the point to consider while choosing the modules. You need to ensure that the module you have selected for your project does nothing (stealing data, spying or hacking) in background.

Note: You can use specific tools to avoid this. For example;

· snyk

· nsp

These tools properly scan through the modules and dependencies you get for your project. The tools scan, and if anything vulnerable found, it will inform you instantly. For example;

Open Source -Open Invitation to Hack

I cannot deny that open source technologies have plenty of things to offer to the world development community. In Node.js applications also, using open source cannot be a wrong idea to go with, though you need to be experienced enough to understand and judge the ill-conspiracy. That means the open source is something that anyone can contribute and that’s a huge problematic, sometimes.

Developers with ill-mindset can make your project totally exposed to hackers. You need to take great care while using open source technologies for your projects. There may be hidden features which can create some serious threats to your projects.

Better Use Node.js Security Tools

Node.js is itself a powerful technology to create a robust application; it has plenty of other tools which help you create outstanding applications. Node.js, with its tools, can help you create secure and safe applications. Here are some of the best known Node.js tools, which really helpful for your projects in terms of improving security.

1. Helmet

Helmet sets HTTP response headers, and it works to filter out URLs and IP addresses to secure your app. It has 14 smaller middleware function which ensures the robustness of the application.

2. Immunio

It’s a real-time security tool for Node.js application. It protects your application from getting hacked by identifying unusual activities from vulnerable traffic. It can easily recognize bots, hacker, spammer or attacker and reject the authentication request. Immunio can protect you against OWASP runtime threat, that’s excellent benefits.

Note: The security tool can be used with Java, Python and Rails along with Node.js.

3. Lusca

A security module, Lusca gets you OWASP best practices by securing header and protects you against the unauthentic validation request. It’s just an alternative to Helmet security tool.

4. Jscrambler

Jscrambler provides intact security for Front-end by offering some unique approach. For example, it makes your web application self-defensive and helps it fight with the unauthorized request, fraud, and modification of code while the application is running. Most importantly, it keeps the application logic and data hidden on the client side. It has plenty of new and productive features, which include Real-time detection, notification and protection.

5. Templarbit

Templarbit can protect any malicious activities performed on web applications by the attackers. You can utilize the tool if you find more threats like XSS.

6. Snyk

Snyk is a popular tool which can be integrated into various other version controllers, servers such as GitHub, Jenkins, Circle CI, Travis and to name just a few to protect you from the know threats.

Final Words

Last but not the least, there are plenty of things which you can explore to enhance the safety and security of the application. I have listed out all the tools and practices which personally applied while developing Node.js Applications. There are plenty of other Node.js best practices available online to improve the security of your Node Application.

--

--

Ronak Patel

Full Stack Developer | Angular | React | RoR | CEO @ Aglowid IT Solution | For Projects: sales@aglowiditsolutions.com | Skype: aglowid |