How to make your NodeJS application or API secure

Published in

ITNEXT

7 min readJul 12, 2019

If you are a back-end or a full-stack (web) developer, you probably heard terms such as: DOS Attacks, XSS, SQL/NoSQL Injection Attacks and similar.
You might already know that these attacks are very harmful and you need to make your application (or API) secure, as much as you can. But how exactly?

In this article i will show you some of the best practices that you can apply / implement in your own projects and make your app, or just an API, secure. But first, if you are not familiar with these attacks, let's break them down one by one!

Denial-Of-Service (DOS) Attacks

DOS Attack will crash / shut down a network, or machine, making it inaccessible. Which means users won’t be able to access your application, for example. Attacker accomplishes this by constantly sending requests, creating traffic and sending plenty of all kind of a informations.
With DOS attacks, attackers can either make your service slower or crash it entirely.

Cross-Site Scripting (XSS) Attacks

XSS Attacks are a type of injections. Attackers inject malicious scripts into the forms of a browser side script. Usually they occur on input forms when those forms are not validated or encoded.
With XSS attacks, attacker can gain access to cookies, session tokens or / and other sensitive data. As well, these scripts can rewrite HTML content of a page.

Brute Force Attacks

Brute force attack is a method used to obtain sensitive data such as user password or personal identification number (PIN). In these attacks, attackers most likely rely on automated software to generate a large numbers guesses to the value of desired data.
With Brute Force Attacks, attackers can crack encrypted data (password, PINs).

SQL/NoSQL Injection Attacks

SQL/NoSQL Injection (SQLi) Attacks is a type of an injection attack. SQL/NoSQL Injection makes it possible for attacker to execute malicious SQL/NoSQL statements. Attackers can achieve SQL/NoSQL Injection attack simply by inserting SQL/NoSQL commands (queries) to a specific fields on your application that is connected to a database (POST request for logging in for example).
With SQL/NoSQL Injection Attacks, attackers can bypass authentication, authorization, retrieve the content of the entire SQL/NoSQL database, add, modify, delete data in database.

How to prevent these attacks from happening in your own project?

Right, after you learned a little bit about these attacks, the question is, how to actually prevent them from happening in your own application / API?
Again, i will show you best practices on how to prevent these attacks, one by one.

Preventing DOS Attacks

First thing to consider when dealing with DOS attacks prevention is to limit the actual payload that user can submit to your app / api / service. You can limit the body payload using body-parser. If you are using ExpressJS as your backend framework, then you are golden. ExpressJS comes with built-in body-parser that you can use.

const express = require('express');
const app = express();app.use(express.json({ limit: '10kb' })); // Body limit is 10

2. Another useful express feature is express-rate-limit dependency. This dependency lets you set rate limit for users. So basically, you can set maximum amount of requests for each user, after user uses all of his requests, you can lock him out for certain amount of time.

Here is how you can configure express-rate-limit:
— npm install express-rate-limit - Installing it using NPM

const limit = rateLimit({
    max: 100,// max requests
    windowMs: 60 * 60 * 1000, // 1 Hour
    message: 'Too many requests' // message to send
});
app.use('/routeName', limit); // Setting limiter on specific route

Preventing XSS Attacks

First of all, you can sanitize user data, on input. This is very easy to implement, and we can use another useful dependency called xss-clean.
This dependency will prevent users from inserting HTML & Scripts on input.

Here is how you can configure xss-clean:
— npm install xss-clean - Installing it using NPM

// Data Sanitization against XSS
app.use(xss());

2. Give your project special HTTP headers using helmet dependency. Helmet is a collection of middleware functions. By default, not all of the middleware functions are included, but you can enable rest of them manually. You can check this link to see other middleware functions.

Here is how you can configure helmet - It should be declared on the top of the code:
— npm install helmet - Installing it using NPM

app.use(helmet());

3. If you are using JSON Web Tokens (JWT) instead of express-session for example, you should consider storing JWT’s into the cookies. As well, make sure these cookies for JWT storing are HTTP Only!

Preventing Brute Force Attacks

One of the most efficient way to help you to deal with brute force attacks, is to set limit to login attempts, or anything related to authentication that requires users to insert their passwords, special codes or PINs.
Next up, and again, if you are using ExpressJS, you could implement express-rate-limit dependency. Which we did indeed implemented in DOS attacks prevention. But this dependency works both for Brute Force attacks and DOS attacks.
To slower down and make life a little bit harder for attackers when guessing sensitive data (passwords, PINs), you could implement bcrypt dependency. Bcrypt will encrypt sensitive data such as passwords and it will make them harder to guess. Bcrypt is a little bit complex dependency, but if you want to learn more (and you should) checkout this link.
Another thing that will make brute force attacks less likely is implementing 2-Step verification process, or two-factor authentication. It does take couple of lines of codes to implement this, so here is the link that will help you out with it!

Preventing SQL/NoSQL Injection Attacks

Either if you are working with SQL or NoSQL database, you should sanitize your data.
If you are working with SQL database, you should consider using node-mysql dependency. Learn more about node-mysql here.
If you are working with NoSQL database (MongoDB) and ExpressJS, consider using express-mongo-sanitize dependency.

Here is how you can configure mongo-sanitize:
— npm install express-mongo-sanitize - Installing it using NPM

app.use(mongoSanitize());

2. If working with MongoDB, use Object Data Modeling tool (ODM) Mongoose. Mongoose lets you define schemas and schema types for each one of your documents, making it secure from the beginning. Mongoose is pretty complex on it’s own, but if you want to dive deep into it, i’ll suggest you to check this link or get a crash course on it and learn it on the go!

Your main app file could look like this after you implemented these dependencies:

// Importing Dependencies
const express = require('express');
const rateLimit = require('express-rate-limit');
const helmet = require('helmet');
const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');const app = express();// Helmet
app.use(helmet());// Rate Limiting
const limit = rateLimit({
    max: 100,// max requests
    windowMs: 60 * 60 * 1000, // 1 Hour of 'ban' / lockout 
    message: 'Too many requests' // message to send
});
app.use('/routeName', limit); // Setting limiter on specific route// Body Parser
app.use(express.json({ limit: '10kb' })); // Body limit is 10// Data Sanitization against NoSQL Injection Attacks
app.use(mongoSanitize());// Data Sanitization against XSS attacks
app.use(xss())

How to achieve top-level security on website / web app / API?

These methods i showed you are most definitely fine to implement in your own project and they are doing the right job! Nothing wrong with it. BUT!
What if you could boost it up to another level? What if you wanted to achieve top-level security for your project? What if you could implement DDoS attack prevention system that will be monitored to you in details? In fact, what if you could integrate monitoring system for ALL of these vulnerabilities?

What if i told you there is this tool called SiteLock that exposes vulnerabilities such as: Search Engine/Browser Blacklisting, Spam Blacklisting, Application vulnerabilities, SQL Injection vulnerabilities, Cross-Site Scripting (XSS) vulnerabilities, Viruses and Malware’s, Network vulnerabilities.
What i am about to show you can save you time and money and of course, make your web application (or website) even more secure.

So what is it all about?

Have you heard of Bluehost? Bluehost is one of the largest website hosting providers and powers millions of websites. Bluehost offers above mentioned tool called SiteLock that monitors your website/app and catches any found vulnerability. Also, it can verify your business reputation. SiteLock comes with Bluehost hosting package (Less than $2 per month).

In short, why go for Bluehost specifically? Well, do you want to launch your website in no time and make sure everything related to your web is secure and stable?
Aside of security, stability, Bluehost’s hosting services are pretty cheap and affordable, and SiteLock is a powerful tool to have for your business. Paying less than $2 per month for SiteLock is a right move, and it will truly help you to monitor all of the happenings on your website/app, exposing vulnerabilities and verifying your business (Makes your business trusted).

Summary

These are just couple of methods, practices that you can use in your own project to make your application or API secure. You can explore each one of these more in depth following references i included or simply researching more about them on your own.
I highly suggest implementing this level (or higher level) of security in your own personal projects. Being good at securing backend application is really valuable and it is indeed a great skill set to have. My suggestion is, no matter how big is the project you are showcasing on your portfolio/resume, always include security. You want employer to know that you understand how much security is important. As well you want to show that you are familiar with making data private and secure.

After you did all of this, you could either test your app / API to the maximum, perhaps revealing security vulnerabilities and patching them up or you could always take it to the next level and make security even higher such as: adding 2 Step Verification, Email confirmations, adding csurf, make encrypted passwords stronger etc.

I hope this article was helpful and you got a little bit familiar with threats lurking out there. If you would like to know more about these attacks (pretty much all in-depth) or about encryption (bcrypt, crypto) and other stuff (implementing 2 Step Verification, Email Confirmation etc.), let me know!

If you have any questions, feel free to ask them.

As well, you can now follow me on twitter & check my website.