A curated list of awesome Node.js Security related resources.
List inspired by the awesome list thing.
Table of Contents
Web Framework Hardening
- Helmet - Helmet helps you secure your Express apps by setting various HTTP headers.
- blankie - CSP plugin for hapi.
Static Code Analysis
- eslint-plugin-security - ESLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
- safe-regex - detect potentially catastrophic exponential-time regular expressions by limiting the star height to 1.
- git-secrets - Prevents you from committing secrets and credentials into git repositories.
- DevSkim - DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities. Also has support for CLI so it can be integrated into CI/CD pipeline.
- ban-sensitive-files - Checks filenames to be committed against a library of filename rules to prevent storing sensitive files in Git. Checks some files for sensitive contents (for example authToken inside .npmrc file).
- escape-html - Escape string for use in HTML.
- https://github.com/chriso/validator.js - A library of string validators and sanitizers.
- xss-filters - Just sufficient output filtering to prevent XSS!
Vulnerabilities and Security Advisories
- npq - Safely install packages with npm or yarn by auditing them as part of your install process.
- snyk - Snyk helps you find, fix and monitor known vulnerabilities in Node.js npm, Ruby and Java dependencies, both on an ad hoc basis and as part of your CI (Build) system.
- node-release-lines - Introspection API for Node.js release metadata. Provides information about release lines, their relative status along with details of each release.
- auditjs - Audits an NPM package.json file to identify known vulnerabilities using the OSSIndex.
- npm-audit - Runs a security audit based on your package.json using npm.
- npm-audit-resolver - Manage npm-audit results, including options to ignore specific issues in clear and auditable way.
- gammaray - Runs a security audit based on your package.json using the Node.js Security Working Group vulnerability data.
- express-limiter - Rate limiting middleware for Express applications built on redis.
- limits - Simple express/connect middleware to set limit to upload size, set request timeout etc.
- rate-limiter-flexible - Fast, flexible and friendly rate limiter by key and protection from DDoS and brute force attacks in process Memory, Cluster, Redis, MongoDb, MySQL, PostgreSQL at any scale. Express and Koa examples included.
- NodeGoat - The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
- Secure Your Node.js Web Application: Keep Attackers Out and Users Happy by Karl Duuna, 2016
- Essential Node.js Security by Liran Tal, 2017 - Hands-on and abundant with source code for a practical guide to Securing Node.js web applications.
- Securing Node JS Apps by Ben Edmunds, 2016 - Learn the security basics that a senior developer usually acquires over years of experience, all condensed down into one quick and easy handbook.
- Web Developer Security Toolbox - Bundled Node.js and Web Security Books.
- Snyk - A developer-first solution that automates finding & fixing vulnerabilities in your dependencies.
- Sqreen - Automated security for your web apps - real time application security protection.
- Intrinsic - Intrinsic secures your sensitive data from bugs and malicious code, allowing you to run all code safely.
- NodeSource - Mission-critical Node.js applications. Provides N|Solid and Node Certified Modules.
Found an awesome project, package, article, other type of resources related to Node.js Security? Send me a pull request! Just follow the guidelines. Thank you!
say hi on Twitter