You are previewing Secure Your Node.js Web Application.
O'Reilly logo
Secure Your Node.js Web Application

Book Description

Cyber-criminals have your web applications in their crosshairs. They search for and exploit common security mistakes in your web application to steal user data. Learn how you can secure your Node.js applications, database and web server to avoid these security holes. Discover the primary attack vectors against web applications, and implement security best practices and effective countermeasures. Coding securely will make you a stronger web developer and analyst, and you'll protect your users.

Table of Contents

  1.  Acknowledgments
  2.  Preface
    1. Who Should Read This Book?
    2. What’s in This Book?
    3. Online Resources
  3. 1. Meet Your Tools
    1. Meet Node.js
    2. Meet JavaScript
    3. Wrapping Up
  4. 2. Set Up the Environment
    1. Follow the Principle of Least Privilege
    2. Start with the Basics: Secure the Server
    3. Avoid Security Configuration Errors
    4. Wrapping Up
  5. 3. Start Connecting
    1. Set Up Secure Networking for Node.js Applications
    2. Decide What Gets Logged
    3. Don’t Forget About Proper Error Handling
    4. Wrapping Up
  6. 4. Avoid Code Injections
    1. Identify Code Injection Bugs in Your Code
    2. Avoid Shell Injection in Your Application
    3. Wrapping Up
  7. 5. Secure Your Database Interactions
    1. Start with the Basics: Set Up the Database
    2. Separate Databases for Better Security
    3. Identify Database Injection Points in Your Code
    4. Avoid SQL Injection Attacks
    5. Mitigate Injection Attacks in NoSQL Databases
    6. Wrapping Up
  8. 6. Learn to Do Things Concurrently
    1. A Primer on Concurrency Issues
    2. Ways to Mitigate Concurrency
    3. Concurrency with MongoDB Explained
    4. Concurrency with MySQL Explained
    5. Wrapping Up
  9. 7. Bring Authentication to Your Application
    1. Store the Secret in a Safe Place
    2. Enforce Password Strength Rules on Your Users
    3. Move the Password Securely to the Server
    4. Deal with the Fact That Users Will Forget
    5. Add Other Authentication Layers for Better Security
    6. Wrapping Up
  10. 8. Focus on Session Management
    1. Set Up Sessions for Your Application
    2. Anonymize the sessionID Used
    3. Let the Session Die, aka Set a Time-to-Live
    4. Secure the Cookies so No One Can Steal Them
    5. Re-create the Session When the User Logs In
    6. Bind the Session to Prevent Hijacking
    7. Wrapping Up
  11. 9. Set Up Access Control
    1. Access Control Methods
    2. Missing Function-Level Access Controls in Your Code
    3. Don’t Use Insecure Direct Object References
    4. Wrapping Up
  12. 10. Defend Against Denial-of-Service Attacks
    1. Recognize Denial-of-Service Attacks
    2. Avoid Synchronous Code in Your Application
    3. Manage How Your Application Uses Memory
    4. Avoid Asymmetry in Your Code
    5. Wrapping Up
  13. 11. Fight Cross-Site Scripts
    1. Recognize Different Types of XSS
    2. Prevent XSS Through Configuration
    3. Sanitize Input for Reflected/Stored XSS
    4. Sanitize Input for DOM XSS
    5. Wrapping Up
  14. 12. Avoid Request Forgery
    1. Follow the Logic to Protect Against CSRF
    2. Synchronize Your Tokens as Part of CSRF Protection
    3. O Request, Where Art Thou From?
    4. Avoid Setting Up Common CSRF Pitfalls in Your Code
    5. Wrapping Up
  15. 13. Protect Your Data
    1. Understand Your Application’s Data Flow
    2. Protect the Client Application and Data
    3. Securely Transfer Data in Your Application
    4. Secure the Data Stored Within Your Application
    5. Wrapping Up
  16. 14. Secure the Existing Codebase
    1. Perform a Risk Assessment First
    2. Test Your Application’s Code Quality
    3. Analyze Your Application’s Data Flow
    4. If Nothing Else, Use a Helmet
    5. Clean the Modules You Use in Your Code
    6. Test Your Application Security Thoroughly
    7. Wrapping Up
    8. Where to Go from Here
  17.  Bibliography