A curated list of awesome Node.js Security related resources.
List inspired by the awesome list thing.
- Helmet - Helmet helps you secure your Express apps by setting various HTTP headers.
- eslint-plugin-security - ESLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
- safe-regex - detect potentially catastrophic exponential-time regular expressions by limiting the star height to 1.
- vuln-regex-detector - This module lets you check a regex for vulnerability. In JavaScript, regular expressions (regexes) can be "vulnerable": susceptible to catastrophic backtracking. If your application is used on the client side, this can be a performance issue. On the server side, this can expose you to Regular Expression Denial of Service (REDOS).
- git-secrets - Prevents you from committing secrets and credentials into git repositories.
- DevSkim - DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities. Also has support for CLI so it can be integrated into CI/CD pipeline.
- node-esapi - node-esapi is a minimal port of the ESAPI4JS (Enterprise Security API for JavaScript) encoder.
- escape-html - Escape string for use in HTML.
- js-string-escape - Escape any string to be a valid JavaScript string literal between double quotes or single quotes.
- https://github.com/chriso/validator.js - A library of string validators and sanitizers.
- xss-filters - Just sufficient output filtering to prevent XSS!
- csurf - Node.js CSRF protection middleware.
- npq - Safely install packages with npm or yarn by auditing them as part of your install process.
- snyk - Snyk helps you find, fix and monitor known vulnerabilities in Node.js npm, Ruby and Java dependencies, both on an ad hoc basis and as part of your CI (Build) system.
- node-release-lines - Introspection API for Node.js release metadata. Provides information about release lines, their relative status along with details of each release.
- auditjs - Audits an NPM package.json file to identify known vulnerabilities using the OSSIndex.
- npm-audit - Runs a security audit based on your package.json using npm.
- gammaray - Runs a security audit based on your package.json using the Node.js Security Working Group vulnerability data.
- express-limiter - Rate limiting middleware for Express applications built on redis.
- limits - Simple express/connect middleware to set limit to upload size, set request timeout etc.
- NodeGoat - The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
- OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. -
- Secure Your Node.js Web Application: Keep Attackers Out and Users Happy by Karl Duuna, 2016
- Essential Node.js Security by Liran Tal, 2017 - Hands-on and abundant with source code for a practical guide to Securing Node.js web applications.
- Securing Node JS Apps by Ben Edmunds, 2016 - Learn the security basics that a senior developer usually acquires over years of experience, all condensed down into one quick and easy handbook.
- Web Developer Security Toolbox - Bundled Node.js and Web Security Books.
- Snyk - A developer-first solution that automates finding & fixing vulnerabilities in your dependencies.
- Sqreen - Automated security for your web apps - real time application security protection.
- Intrinsic - Intrinsic secures your sensitive data from bugs and malicious code, allowing you to run all code safely.
- NodeSource - Mission-critical Node.js applications. Provides N|Solid and Node Certified Modules.
Found an awesome project, package, article, other type of resources related to Node.js Security? Send me a pull request! Just follow the guidelines. Thank you!
say hi on Twitter