Node.js security basics

Csaba Palfi, Sep 2014

Node is not different. All humans writing code are an un-patched vulnerability. There will always be vulnerabilities but what matters is your process dealing with them. Learn, fix, repeat. Here are some basic tips:

1. know OWASP Top 10

OWASP top 10 is list of the most critical and prevalent web application security issues. It's a great way to get started.

NodeGoat is an express webapp with Mongo demonstrating OWASP Top 10 issues and addressing them. Any volunteers to write one for hapi?

2. use security headers

Utilizing security HTTP headers can greatly improve security. Learn about these and use them!

NodeGoat uses the helmet express middlewares for this. lusca is another good express middleware.

Hapi supports a lot of these headers out of the box.

3. require responsibly

You're responsible for the modules you require. Do you at least check number of installs on npm? Do you check open issues on Github?

The node security project maintains a list of known vulnerabilities for npm modules. They provide a command line tool, Grunt task, an API (example). Closer integration with npm is coming as well.

4. never trust user input

It's so easy to forget that users don't always mean well. Always validate request params and body instead of just building mongo queries based on them.

In express make sure you understand the simple and extended queryparser and bodyParser.urlencoded options.

With hapi make sure you check out joi - their amazing declarative validation module.

Node.js services sometimes just proxy through other backends. Make sure you only pass validated input through.

5. prevent command injection

The exec method in the child_process can be dangerous as it gets it's whole command as a String. If the wrong thing get concatenated in there it'll hurt. Just make sure you use execFile or spawn instead as they get arguments as an array. Read this post to learn more.

6. do crypto well

Watch out for cases when depcrypting garbage doesn't throw error. Have tests for these scenarios.

Actually, just use HMAC but watch out for timing attacks. (cryptiles from the hapi guys has fixedTimeComparison to prevent that)

Checkout cryptopals.com if you want to deeply understand crypto.

UPDATE: More security tips

Some more security tips were published by Gergely Nemeth of RisingStack.

Thanks

Adam Baldwin (from ^Lift), his two talks at LNUG and London Node Security Meetup inspired this post.