Anonymize the sessionID Used
The first step for an attacker targeting a system is reconnaissance. The attacker researches the environment and narrows possible attack vectors to optimize the attack. As the defender, we want them to waste as much time as possible, so keeping the intruder guessing is a good move.
The default implementation of session in express and connect uses connect.sid as the sessionID token in the cookie. Itâs not hard to understand what technologies are in use based on that. To make it harder for possible attackers to gain information about the applicationâs underlying systems, we need to use a more generic name for the sessionID:
| â | app.use(express.session({ |
| â | store: ânewâ RedisStore({ |
| â | host: â'localhost' ... |
Get Secure Your Node.js Web Application now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
