Cross-Site Scripting (XSS)
XSS is a high-rated security vulnerability since the attacker can get access to LocalStorage, SessionStorage, or cookies. That’s why it’s recommended not to store any sensitive data in these storages.
Cross-Site Request Forgery (CSRF)
CSRF is an attack that exploits the mechanism of sending HTTP requests from the browser. If a user’s PC stores some cookies from a particular website, these cookies will be sent with the request, and it doesn’t matter who starts a given request. Thus, if you let things slide and don’t defend your web app against CSRF, a hacker can steal the accounts of your users.
A simple example of CSRF attack implies that a hacker finds an unprotected <form> element on the web page. Then, a custom URL that calls the action of the given form can be created. For example, it can update the email address of your user. The hacker can request a password reminder and take over the account.
To avoid such issues, you can add a CSRF token to the form. This token should be unique per session and generated by a secure random number generator. After you generate this token, you can add it as a hidden input field in the form on your web page. The next step is to make your server reject the request action in case if the token isn’t validated.
If you use the concatenation of string of unsanctioned dynamic user input, be prepared to meet some unpleasant consequences. We’re talking about the high risk of vulnerabilities. Besides that, remember that if user’s input is required for a server-side command, then it should be properly validated.
Choose Wisely Between JWT-based and Session-based Authentication
JSON Web Tokens (JWT) is a method for representing claims securely between two parties. It includes some data on the user side (e.g., name and email) along with other two values: iat (issued at) and exp (expires at). These tokens are signed by a secret key, but you should not use any sensitive data in JWSs since payloads are not encrypted. Each token consists of three base64-encoded parts that describe the used algorithm, contain the actual payload, and the signature. This technique is usually used for authenticating in SPAs and can simplify how you authenticate against different APIs hosted on different subdomains.
Pay Due Attention to the Safety of Your Passwords
If you’re a beginner, take it as a rule that passwords should never be stored in plain text. Besides that, don’t forget to use salt, Without it, a hacker can use so-called Rainbow tables to reverse the passwords. Functions such as Bcrypt allows adding salt to your passwords. Bcrypt has an implementation for Node.js apps, so if you use it, spend some time to learn how this function works.
If we talk about handling secrets such as database passwords, don’t ever check them into your Version Control System (VCS) as plain text. To store such precious info in VCS, you can encrypt them using such apps as git-crypt or git-secret. Another handy tool is Vault. It allows to store and control access to your tokens, passwords, and other secret data.
Feel free to share your thoughts and experience in the comments.