Secure Your ExpressJS App
6 actionable tips on how to secure your web applications
Know the basics
Open Web Application Security Project https://owasp.org/ and its Top 10 Web Application Security Risks https://owasp.org/www-project-top-ten/
Take Actions
🔒 1. Secure HTTP Headers
Use Helmet in your Express app.
// Simply do this
app.use(helmet());// or if you need "Referer" to identify traffic channels
app.use(
helmet({
referrerPolicy: { policy: "origin" },
})
);
Use Security Headers Checker or curl -I https://twitter.com
to check your endpoint. To understand why you should secure HTTP Headers, read the OWASP HTTP Headers Cheat Sheet
🔒 2. Secure Cookies
Use the secure
and HttpOnly
flags whenever possible. Tightly scope domain
and path
. Always set expires
and never ever use cookies to store customer information.
For more information, read the OWASP Session Management Cheat Sheet
🔒 3. Secure HTML
Use DOMPurify to sanitise HTML and prevent XSS attacks.
For XSS attacks to be successful, an attacker needs to insert and execute malicious content in a webpage. Each variable in a web application needs to be protected. Ensuring that all variables go through validation and are then escaped or sanitized is known as perfect injection resistance. — OWASP Cross Site Prevention Cheat Sheet
🔒 4. Validate All Inputs
Simply validate all the inputs before using them. e.g., validator.js
Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the external party. — OWASP Input Validation Cheat Sheet
🔒 5. Secure Outbound Links
noopener
prevents websites from being hit by phishing attacks, specifically Tabnabbingnoreferrer
prevents websites from using analytics and trackingnofollow
prevents Google transfer PageRank across these links