Talk slides and notes
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
SFNode November 2018.pptx

SFNode meetup talk (November 2018)


Security happens in layers. Node.js is part of an ecosystem. There are many tools that will help you code quickly but still remain secure. Just because you add security doesn't mean vulnerabilities disappear. Good security should give you more time to react and counter active attacks.

Security happens in Layers, the ecosystem

alt text

Threats by category, Top 10 Threats 2017

A1: Injection

  • "tl;dr" Solution: make sure to validate the data you get from users.
  • Prevent query injection vulnerabilities by using ORM/ODM libraries like Mongoose have this feature. Below is an video of an academic example of this vulnerability.
  • Avoid JavaScript eval statements and new Function
  • Avoid module loading require(someVariable) using a variable

A2: Broken Authentication

A3: Sensitive Data Exposure

  • "tl;dr" Solution: encrypt sensitive data.
  • Extract secrets from config files or use packages to encrypt them
    • Pass secrets wtih environment variables and save the secrets in a file on your server.
    • use cryptr

A4: External Entities

  • "tl;dr" Solution: use JSON and avoid serializing sensitive data.
  • Run unsafe code in a sandbox
    • use a dedicated child process
    • use a cloud serverless framework
    • use libraries like sandbox or vm2
  • Take extra care when working with child processes
    • use the child_process.execFile if you are unsure

A5: Broken Access Control

  • "tl;dr" Solution: deny access by default.
  • Run Node.js as non-root user

A6: Security Misconfiguration

  • "tl;dr" Solution: review default settings to secure installation.
  • Adjust the HTTP response headers for enhanced security
    • use helmet to protect express servers
  • Hide error details from clients
    • set NODE_ENV to production
  • Modify session middleware settings, don't use the defaults.

A7: Cross-Site Scripting (XSS)

  • "tl;dr" Solution: separate untrusted data from browser content.
  • Escape HTML, JS, and CSS output

A8: Insecure Deserialization

  • "tl;dr" Solution: no serialized data from untrusted sources.
  • Validate incoming JSON schemas
  • Limit payload size using a reverse proxy or middleware. - configure express bodyparser to accept small-size payloads

A9: Using Components with Known Vulnerabilities

A10: Insufficient Logging and Monitoring

  • "tl;dr" Solution: read the logs for unusual activity.
  • use due diligence. Check logs, write scripts, use things like linkerd or splunk to monitor possible intrusions.


  • Limit concurrent requests using a middleware. Cloud load balancers and firewalls can be configured to help with this.
  • Avoid DOS attacks by explicitly setting when a process should crash
  • Prevent RegEx from overloading your single thread execution with an overly complex query.

alt text

User input is a major vulnerability, please treat it like hostile code and sanitize it. Filter and validate user input.

Threats in the Wild