Security in Node.JS and Express: The Bare Minimum — Part 3.

Petros Demetrakopoulos
Jan 19 · 3 min read

In the previous part, we covered

  • XSS Attacks
  • SQL injections
  • RegEx Denial of Service

In this part, we will cover

  • Cross-Site Request Forgery Attacks (CSRF)
  • Rate Limiting
  • Data Sanitization

Cross-Site Request Forgery

Cross-Site Request Forgery according to OWASP

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

In order to prevent this kind of attack, we should implement a synchronized CSRF tokens policy.

CSRF token is a simple string set when the user requests a page that contains a form and expects the same CSRF token when a POST request is made. If the CSRF tokens do not match or if the CSRF token is not in the form data, the POST request is not allowed. CSRF token is unique for each user session and most of the times it expires in a given time span.

In Express applications we can implement a CSRF policy with the help of csurf npm package.
The package can be used in one line and it handles everything related to the CSRF tokens for all the users.

So in the back-end, the correct setup looks like this

And in the front-end looks like this for each form.

Rate Limiting

One other crucial aspect of the security of your Express application is rate-limiting. As you may already know, rate limiting is the policy that control the rate of requests that your server can receive from a specific user and / or IP address. In that way, we prevent DoS attacks.

express-rate-limit npm package enables us to apply policies like the ones mentioned above in a really easy way.

i.e

express-rate-limit allows us to apply rate-limiting policies to all the endpoints of our Express server or even different policies for each route.

i.e This example applies a rate-limiting policy only to the endpoints starting with /API.

Important note: Static resources such as images, CSS stylesheets, front-end Javascript scripts count for requests as well if we serve them through our Express server (which is a bad practice anyway, we should prefer CDN networks for static resources).

Data sanitization and validation

It is an important process that must take place in every endpoint where the user interacts with the server by submitting data. It protects the server from most of the flaws mentioned in this series of articles. When we are validating data, we are interested in checks like “Is this a correct e-mail address?”, “Is it an Integer?”, “Is it a valid telephone number?” etc?

A very useful npm package that helps us perform this kind of checks in user input is express-validator.

express-validator allows us to define “check schemas” for each endpoint in pure JSON. It also allows us to set the error messages sent back to the user if a validation for a field fails.

An example is given below:

express-validator offers many useful keys and functions such as isIn(), exists(), isUUID(), isPostalCode(), trimming functions, etc. It also allows us to implement custom validation and sanitization logic.

That’s all folks (for now…)

I hope you find it interesting and it will help you build more secure and robust Node.JS and Express apps.

Geek Culture

Proud to geek out.

Sign up for Geek Culture Hits

By Geek Culture

Subscribe to receive top 10 most read stories of Geek Culture — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Petros Demetrakopoulos

Written by

💻Code-blooded, 🌏 Traveler ⌨️ Computer Science graduate, AUEB alumnus. Passionate Homebrewer🍺. Lifelong learner 📚.

Geek Culture

A new tech publication by Start it up (https://medium.com/swlh).

Petros Demetrakopoulos

Written by

💻Code-blooded, 🌏 Traveler ⌨️ Computer Science graduate, AUEB alumnus. Passionate Homebrewer🍺. Lifelong learner 📚.

Geek Culture

A new tech publication by Start it up (https://medium.com/swlh).

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store