Node.js Security Improvements

- Node.js

Node.js Security optimizations

In the following post, we are going to discuss crucial Node.js security improvements. The platform itself is not very risky, so all major security problems are caused by its popularity and extensive use. As a result, sloppy coding makes projects absolutely unreliable, but you can easily avoid common Node.js security problems, and you will do so with core Node.js security improvements, resources, and tools listed below.

'

Since Node.js is based on JavaScript, the platform inherits JavaScript’s security problems as well, but they might be entirely different since all the processes are executed on the server instead of the browser. For instance, in case of Node.js the eval security issue, common for client side in JS projects, exists on the server side, and the appropriate function increases the risk of running malicious code there.

Node.js Security Improvements: Reporting a Bug

Node.js Security Improvements

First of all, it is necessary to mention that the whole Node.js community makes the platform better. If you find a security bugs in Node.js, tell about the issue by emailing security at nodejs.org. The core team will receive your message and fix the problem, keeping you informed of the progress related to a fix. As a result, you will receive an update within five days.

As for security bugs related to third party modules, you should inform their developers about discovered problems. Besides, it is possible to utilize the Node Security Project.

You can read the full Node.js disclosure policy here: Node.js Security Page

Node.js Security Improvements: Receiving Updates

Node.js Security Optimizations

If you want to keep your Node.js projects secure, it is necessary to implement all recent updates. Node.js distributes such updates via a Google+ group and a blog. Always check both sources to keep up with the times.

Node.js Security Improvements: Node Security Project

Node.js Security Improvements with Node Security Project

The aforementioned Node Security Project is one of the most important security sources on the platform. All core Node.js security improvements are available there in a form of various tools. Besides, you will find a list of resources and articles about Node.js security there. And you can easily contribute to the project as well.

Node.js Security Improvements: Blog Posts

Node.js Security Optimizations

  • When this is really that – this article discusses sandbox insecurities related to the this object utilized in JavaScript.
  • Node.js’s null terminator of death. In this article, the author explains how to leverage the null terminator and make your Node.js projects more secure. For instance, there is an advice that recommends to avoid user input. For further information, examine the full article.
  • Node.js Security – the good, bad and ugly shares a useful viewpoint on Node.js security. The author tells about both positive and negative aspects of the platform’s security and describes how they are represented in various projects.
  • Why Node.JS? Security continues the topic of Node.js security improvements by  introducing amazing security options available on the platform.
  • Attacking NoSQL and Node.js sheds light on such a problem as server-side JavaScript injection attacks. The article discusses why the platform and the database can be absolutely insecure.
  • Do you know that opening files in Node.js might be harmful? Check the article to find out why is this process is risky. Besides, the author introduces core Node.js security improvements, related to the issue.
  • Node.js and methodOverride middleware discusses two important problems: terrible API documentation that doesn’t warn developers of potential risks and CSRF bypass that abuses methodOverride middleware. As you can see, more and more Node.js security optimizations are required.
  • Node Day Summary is an article by lift that describes Node.js security problems in the enterprise.

Node.js Security Improvements: Tools

Development Environment for Node.js

  • nsp is the Node Security Project command line interface that provides the ability to audit both package.json and npm-shrinkwrap.json files against the API. The tool is vital if you are going to implement Node.js security improvements, because it identifies known vulnerabilities. In addition, you will get access to recent news about the security of the platform.
  • vscode-nsp is your nsp for Visual Studio Code.
  • gulp-nsp is your nsp for Gulp.
  • grunt-nsp is your nsp for Grunt.
  • npm-utils is a set of npm utilities for Node.js.
  • eslint-plugin-security is a set of ESLint rules for Node.js security projects. Although the project helps to identify potential security issues, all improvements should be performed manually.
  • eslint-config-nodesecurity offers a base set of ESLint rules for the same purpose.
  • demo provides different vulnerable dependencies necessary for further security improvements.

Node.js Security Improvements: Videos and Presentations

Node.js Security – Old Vulnerabilities in New Dresses

Old Attacks, New Tools

Top Overlooked Security Threats to Node.js Web Applications

Securing Modern Web Frameworks with Node.js

Preventing XSS & CSRF

Web Security in Node.js and JavaScript Apps

Node.js application (in)security

Final Words

Although the aforementioned improvements do not cover all security vulnerabilities of Node.js, they are enough for making the platform much more secure. Do not hesitate to examine all the aforementioned sources, tools, and materials, because it is a good investment into your Node.js projects. Node.js security improvements and optimizations are not mandatory, but it doesn’t prevent them from being vitally important.

'