Security in Node.JS and Express: The Bare Minimum — Part 3.
In the previous part, we covered
- XSS Attacks
- SQL injections
- RegEx Denial of Service
In this part, we will cover
- Cross-Site Request Forgery Attacks (CSRF)
- Rate Limiting
- Data Sanitization
Cross-Site Request Forgery
Cross-Site Request Forgery according to OWASP
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
In order to prevent this kind of attack, we should implement a synchronized CSRF tokens policy.
CSRF token is a simple string set when the user requests a page that contains a form and expects the same CSRF token when a POST request is made. If the CSRF tokens do not match or if the CSRF token is not in the form data, the POST request is not allowed. CSRF token is unique for each user session and most of the times it expires in a given time span.
In Express applications we can implement a CSRF policy with the help of csurf npm package.
The package can be used in one line and it handles everything related to the CSRF tokens for all the users.
So in the back-end, the correct setup looks like this
And in the front-end looks like this for each form.
One other crucial aspect of the security of your Express application is rate-limiting. As you may already know, rate limiting is the policy that control the rate of requests that your server can receive from a specific user and / or IP address. In that way, we prevent DoS attacks.
express-rate-limit npm package enables us to apply policies like the ones mentioned above in a really easy way.
express-rate-limit allows us to apply rate-limiting policies to all the endpoints of our Express server or even different policies for each route.
i.e This example applies a rate-limiting policy only to the endpoints starting with /API.
Data sanitization and validation
It is an important process that must take place in every endpoint where the user interacts with the server by submitting data. It protects the server from most of the flaws mentioned in this series of articles. When we are validating data, we are interested in checks like “Is this a correct e-mail address?”, “Is it an Integer?”, “Is it a valid telephone number?” etc?
A very useful npm package that helps us perform this kind of checks in user input is express-validator.
express-validator allows us to define “check schemas” for each endpoint in pure JSON. It also allows us to set the error messages sent back to the user if a validation for a field fails.
An example is given below:
express-validator offers many useful keys and functions such as
isPostalCode(), trimming functions, etc. It also allows us to implement custom validation and sanitization logic.
That’s all folks (for now…)
I hope you find it interesting and it will help you build more secure and robust Node.JS and Express apps.