You are previewing Secure Your Node.js Web Application.
O'Reilly logo
Secure Your Node.js Web Application

Book Description

Cyber-criminals have your web applications in their crosshairs. They search for and exploit common security mistakes in your web application to steal user data. Learn how you can secure your Node.js applications, database and web server to avoid these security holes. Discover the primary attack vectors against web applications, and implement security best practices and effective countermeasures. Coding securely will make you a stronger web developer and analyst, and you'll protect your users.

Table of Contents

  1. <span xmlns="" xmlns:epub="" class="toc-secnum">&#160;</span>AcknowledgmentsAcknowledgments
  2. <span xmlns="" xmlns:epub="" class="toc-secnum">&#160;</span>PrefacePreface
    1. Who Should Read This Book?
    2. What’s in This Book?
    3. Online Resources
  3. <span xmlns="" xmlns:epub="" class="toc-secnum">1. </span>Meet Your ToolsMeet Your Tools
    1. Meet Node.js
    2. Meet JavaScript
    3. Wrapping Up
  4. <span xmlns="" xmlns:epub="" class="toc-secnum">2. </span>Set Up the EnvironmentSet Up the Environment
    1. Follow the Principle of Least Privilege
    2. Start with the Basics: Secure the Server
    3. Avoid Security Configuration Errors
    4. Wrapping Up
  5. <span xmlns="" xmlns:epub="" class="toc-secnum">3. </span>Start ConnectingStart Connecting
    1. Set Up Secure Networking for Node.js Applications
    2. Decide What Gets Logged
    3. Don’t Forget About Proper Error Handling
    4. Wrapping Up
  6. <span xmlns="" xmlns:epub="" class="toc-secnum">4. </span>Avoid Code InjectionsAvoid Code Injections
    1. Identify Code Injection Bugs in Your Code
    2. Avoid Shell Injection in Your Application
    3. Wrapping Up
  7. <span xmlns="" xmlns:epub="" class="toc-secnum">5. </span>Secure Your Database InteractionsSecure Your Database Interactions
    1. Start with the Basics: Set Up the Database
    2. Separate Databases for Better Security
    3. Identify Database Injection Points in Your Code
    4. Avoid SQL Injection Attacks
    5. Mitigate Injection Attacks in NoSQL Databases
    6. Wrapping Up
  8. <span xmlns="" xmlns:epub="" class="toc-secnum">6. </span>Learn to Do Things ConcurrentlyLearn to Do Things Concurrently
    1. A Primer on Concurrency Issues
    2. Ways to Mitigate Concurrency
    3. Concurrency with MongoDB Explained
    4. Concurrency with MySQL Explained
    5. Wrapping Up
  9. <span xmlns="" xmlns:epub="" class="toc-secnum">7. </span>Bring Authentication to Your ApplicationBring Authentication to Your Application
    1. Store the Secret in a Safe Place
    2. Enforce Password Strength Rules on Your Users
    3. Move the Password Securely to the Server
    4. Deal with the Fact That Users Will Forget
    5. Add Other Authentication Layers for Better Security
    6. Wrapping Up
  10. <span xmlns="" xmlns:epub="" class="toc-secnum">8. </span>Focus on Session ManagementFocus on Session Management
    1. Set Up Sessions for Your Application
    2. Anonymize the sessionID Used
    3. Let the Session Die, aka Set a Time-to-Live
    4. Secure the Cookies so No One Can Steal Them
    5. Re-create the Session When the User Logs In
    6. Bind the Session to Prevent Hijacking
    7. Wrapping Up
  11. <span xmlns="" xmlns:epub="" class="toc-secnum">9. </span>Set Up Access ControlSet Up Access Control
    1. Access Control Methods
    2. Missing Function-Level Access Controls in Your Code
    3. Don’t Use Insecure Direct Object References
    4. Wrapping Up
  12. <span xmlns="" xmlns:epub="" class="toc-secnum">10. </span>Defend Against Denial-of-Service AttacksDefend Against Denial-of-Service Attacks
    1. Recognize Denial-of-Service Attacks
    2. Avoid Synchronous Code in Your Application
    3. Manage How Your Application Uses Memory
    4. Avoid Asymmetry in Your Code
    5. Wrapping Up
  13. <span xmlns="" xmlns:epub="" class="toc-secnum">11. </span>Fight Cross-Site ScriptsFight Cross-Site Scripts
    1. Recognize Different Types of XSS
    2. Prevent XSS Through Configuration
    3. Sanitize Input for Reflected/Stored XSS
    4. Sanitize Input for DOM XSS
    5. Wrapping Up
  14. <span xmlns="" xmlns:epub="" class="toc-secnum">12. </span>Avoid Request ForgeryAvoid Request Forgery
    1. Follow the Logic to Protect Against CSRF
    2. Synchronize Your Tokens as Part of CSRF Protection
    3. O Request, Where Art Thou From?
    4. Avoid Setting Up Common CSRF Pitfalls in Your Code
    5. Wrapping Up
  15. <span xmlns="" xmlns:epub="" class="toc-secnum">13. </span>Protect Your DataProtect Your Data
    1. Understand Your Application’s Data Flow
    2. Protect the Client Application and Data
    3. Securely Transfer Data in Your Application
    4. Secure the Data Stored Within Your Application
    5. Wrapping Up
  16. <span xmlns="" xmlns:epub="" class="toc-secnum">14. </span>Secure the Existing CodebaseSecure the Existing Codebase
    1. Perform a Risk Assessment First
    2. Test Your Application’s Code Quality
    3. Analyze Your Application’s Data Flow
    4. If Nothing Else, Use a Helmet
    5. Clean the Modules You Use in Your Code
    6. Test Your Application Security Thoroughly
    7. Wrapping Up
    8. Where to Go from Here
  17. <span xmlns="" xmlns:epub="" class="toc-secnum">&#160;</span>BibliographyBibliography