Safeguarding Node JS Applications

Eresh Gorantla
Apr 18 · 5 min read

This story talks about securing node js applications from the most common security threats to Node Js application. These are the most common security vulnerabilities that is identified by the OWASP article.

Many of these issues can be addressed by using the Helmet middleware library.

Helmet can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately.

Helmet is actually just a collection of smaller middleware functions that set security-related HTTP response headers:

  • csp sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
  • hidePoweredBy removes the X-Powered-By header.
  • hsts sets Strict-Transport-Security header that enforces secure (HTTP over SSL/TLS) connections to the server.
  • ieNoOpen sets X-Download-Options for IE8+.
  • noCache sets Cache-Control and Pragma headers to disable client-side caching.
  • noSniff sets X-Content-Type-Options to prevent browsers from MIME-sniffing a response away from the declared content-type.
  • frameguard sets the X-Frame-Options header to provide clickjacking protection.
  • xssFilter sets X-XSS-Protection to disable the buggy Cross-site scripting (XSS) filter in web browsers.

Let us create a sample application

$ mkdir helmet-test
$ cd helmet-test
$ npm init -y
$ npm install express --save

Create a file index.js

const express = require('express')

const app = express()

app.get('/', (request, response) => {
return response.json({
response: 'I am Alive ....'
})
})

app.listen(3000)

Let us do CURL command for GET API, do this with ( — include)

One of the things that caught my attention is the x-powered-by response header. I don’t think knowing it is an Express app adds any value to the client. On the contrary, if an attacker finds out we are using an old version of Express, they will try to exploit any known vulnerability. This header will be removed by Helmet.

Some more headers that would make the server secure are:

  • Content-Security-Policy.
  • Strict-Transport-Security.
  • Expect-CT.
  • Referrer-Policy.
  • X-Content-Type-Options.

There is a popular website which checks the url and gives security rating. I am using using ngrok for tunnelling local http end point to https and check in the security rating website.

Capturing the https endpoint and verified for API. Below is the report, the rating is not so encouraging.

Let us include Helmet in our app and start using it.

$ npm install helmet --save

Change the index.js as below.

const express = require('express')
const helmet = require('helmet')

Let us again run the exercise of using CURL to call GET API.

Now Helmet has removed the x-powered-by from the response headers. In addition to that it has added few more defaults.

Remove X-Powered-By Header

The X-Powered-By header (set to “Express” by default in a Node / Express application) can be used by attackers to identify the site’s infrastructure and should therefore be hidden.

Content Security Policy:

Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads.

CSP was first designed to reduce the attack surface of Cross Site Scripting (XSS) attacks, later versions of the spec also protect against other forms of attack such as Click Jacking.

Expect Certificate Transparency

The HTTP Expect-CT header is a response-type header that prevents the usage of wrongly issued certificates for a site and makes sure that they do not go unnoticed and it also allows sites to decide on reporting or enforcement of Certificate Transparency requirements.

Browsers ignore the Expect-CT header over HTTP. The header only has an effect on HTTPS connections. So this is an explicit check by the browser that the given certificate for the website is a valid one as per public-logs . Helmet adds expect-ct: max-age=0, meaning the browser should expect the certificate to be valid.

Referrer-Policy

In simple terms, Referrer-Policy defines what data should be picked up from the referrer of the request. By default, Helmet puts this to no data, which means no part of the URL — neither the origin nor the query string — can be used on your website. Web.dev has a great piece on Referrer best practices with easy-to-understand graphical explanations. Helmet adds referrer-policy: no-referrer, which is pretty restrictive.

Strict-Transport-Security

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

It has max-age and includeSubdomain directives. Max-age tells the browser the time in seconds that it should remember that the website should only be accessed using HTTPS. The includeSubdomain directive, which is optional, indicates that this rule applies to the site’s subdomains as well. Helmet adds the following:

1strict-transport-security: max-age=15552000; includeSubDomains

So it says that the website needs to be accessed via HTTPS for 180 days with its subdomains.

There are other headers that Helmet Creates apart from these by default.

Let us the security Check again with the website.

Geek Culture

Proud to geek out.

Sign up for Geek Culture Hits

By Geek Culture

Subscribe to receive top 10 most read stories of Geek Culture — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Geek Culture

A new tech publication by Start it up (https://medium.com/swlh).

Eresh Gorantla

Written by

Experience in Open source development, Technical Leader. Expert in Java/J2EE, Integration, analytics. Loves Cricket, cooking, movies and travelling.

Geek Culture

A new tech publication by Start it up (https://medium.com/swlh).

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store