Node.js security basics
Csaba Palfi, Sep 2014
Node is not different. All humans writing code are an un-patched vulnerability. There will always be vulnerabilities but what matters is your process dealing with them. Learn, fix, repeat. Here are some basic tips:
1. know OWASP Top 10
OWASP top 10 is list of the most critical and prevalent web application security issues. It's a great way to get started.
NodeGoat is an express webapp with Mongo demonstrating OWASP Top 10 issues and addressing them. Any volunteers to write one for hapi?
2. use security headers
Utilizing security HTTP headers can greatly improve security. Learn about these and use them!
NodeGoat uses the helmet express middlewares for this. lusca is another good express middleware.
Hapi supports a lot of these headers out of the box.
You're responsible for the modules you
require. Do you at least check number of installs on npm? Do you check open issues on Github?
The node security project maintains a list of known vulnerabilities for npm modules. They provide a command line tool, Grunt task, an API (example). Closer integration with npm is coming as well.
4. never trust user input
It's so easy to forget that users don't always mean well. Always validate request params and body instead of just building mongo queries based on them.
In express make sure you understand the simple and extended queryparser and bodyParser.urlencoded options.
With hapi make sure you check out joi - their amazing declarative validation module.
Node.js services sometimes just proxy through other backends. Make sure you only pass validated input through.
5. prevent command injection
exec method in the child_process can be dangerous as it gets it's whole command as a String. If the wrong thing get concatenated in there it'll hurt. Just make sure you use
spawn instead as they get arguments as an array. Read this post to learn more.
6. do crypto well
Watch out for cases when depcrypting garbage doesn't throw error. Have tests for these scenarios.
Actually, just use HMAC but watch out for timing attacks. (cryptiles from the hapi guys has
fixedTimeComparison to prevent that)
Checkout cryptopals.com if you want to deeply understand crypto.
UPDATE: More security tips
Some more security tips were published by Gergely Nemeth of RisingStack.
Adam Baldwin (from ^Lift), his two talks at LNUG and London Node Security Meetup inspired this post.