Enhance Security for NodeJS Application

1. Limiting the number of requests

Limiting the number of requests (from a single IP address within a specific timeframe) is a method used to prevent denial-of-service (DOS, DDOS) attacks or brute force attacks that could overload your server.

If you're using Express, integrating this is quite straightforward using the express-rate-limit package.

import * as express from 'express'
import helmet from 'helmet'
import expressRateLimit from 'express-rate-limit'

const app = express()
const limiter = expressRateLimit({
windowMs: 10 * 60 * 1000, // ms, ~10 minutes
max: 50, // limit each IP to 50 requests
})
const specificLimiter = expressRateLimit({
windowMs: 60 * 60 * 1000, // 1 hour window
max: 2, // start blocking after 2 requests
message: 'Too many requests', // default 429 TOO MANY REQUESTS
})

app
.use(limiter) // use for all route
.use('/common', (req, res) => {
res.json({api: 'common', ok: true})
})
.get('/specific-api', specificLimiter, (req, res) => { // use middleware for specific route
res.json({api: 'specific', ok: true})
})
.listen(3000)

Note that if your development environment involves numerous test cases requiring requests to various APIs, it's advisable to exclude the rate limit. Always check the environment before starting the server to ensure that the rate limit is added in the production environment (or any desired environments).


2. Limiting the payload request size

Limiting the payload size sent to the server helps prevent DOS/DDOS attacks. Fortunately, Express also provides us with this capability as follows:

import * as express from 'express'

const app = express()
app
.use(express.json({limit: '50kb'})) // body-parser defaults to a body size limit of 100kb
.post('/send-data', (req, res) => {
if (!req.is('json')) {
return res.sendStatus(400) // Bad request
}
res.json({ok: true})
})
.listen(3000)


3. Using Helmet

Helmet is an npm package that includes middleware to handle and filter out malicious request headers (exploiting XSS vulnerabilities or clickjacking, for example). You can utilize Helmet's default configuration or customize it based on your needs following the instructions provided here.

Using it is as simple as:

import * as express from 'express'
import helmet from 'helmet'

const app = express()
app
.use(helmet())
.listen(3000)


4. Validate User Data Sent to the Server

Even if data validation is performed solely on the frontend, it's crucial to validate it on the backend as well. Frontend validation primarily serves regular users, while hackers may exploit vulnerabilities like SQL Injection to directly attack the server. Check out the following article for guidance on using express-validator to validate request data. It's a simple yet effective solution to enhance your server's security.


5. Use ORM Libraries (Object-Relational Mapping)

Utilize packages like TypeORM or Sequelize to mitigate serious security risks like SQL/NoSQL Injection. These packages offer convenient and secure functions suitable for connecting to multiple databases or migrating to different databases without significantly altering logic. While there are debates about the impact of using these packages on system performance, you can enhance performance through various methods. Moreover, considering the security risks, prioritizing this aspect is essential.

Avoid concatenating strings when querying to prevent hidden security risks:

const idValue = req.id; // get id from request so that attackers can attach malicious code
const query = `SELECT * FROM table_name a WHERE a.id = ${idValue};`;


6. Avoid Storing Secret Info Directly in the Codebase

Sensitive information like secret keys, database passwords, API keys, and other crucial data should never be stored directly in the source code. Instead, place these details in a .env file (and remember to add the .env file to .gitignore). Here's a simple way to do it:

Install the dotenv package.

yarn add dotenv


Creating a .env file

PASSWORD=password


Accessing Value

process.env.PASSWORD


Additionally, you can utilize Key Management Service (KMS) to store secret information on the cloud. Many providers like AWS, GCP, etc, offer support. Each method, whether using a .env file or KMS, has its pros and cons, so it's essential to weigh your options and choose what suits your needs best.


7. Choosing an Algorithm to Hash Passwords

Some hashing functions like SHA1, MD5, SHA-256 have been around for a while, but their hash/second rate is low, making them unsuitable for password hashing. Instead, opt for algorithms with a high hash/second rate like bcrypt or pbkdf2 to generate more complex hash strings. This will make it significantly more challenging and nearly impossible for attackers to crack passwords, as it will require a considerable amount of time and effort.

I'll provide a simple example using bcrypt to hash and compare passwords as follows:

import * as bcrypt from 'bcrypt'

const saltRounds = 10,
password1 = 'password1',
password2 = 'password2'

// 2 ways to gen hash
const hash1: string = await new Promise(rs =>
bcrypt.genSalt(saltRounds, (err, salt) => {
bcrypt.hash(password1, salt, (err, hash) => {
rs(hash) // store hash in your password DB.
})
})
)
const hash2 = await bcrypt.hash(password2, saltRounds)

// load hash from your password DB to compare
bcrypt.compare(password1, hash1, (err, result) => {
console.log(password1, hash1, result)
})
const result = await bcrypt.compare(password2, hash2)
console.log(password2, hash2, result)


8. Using HTTPS

When you use HTTP (Hypertext Transfer Protocol), data sent to the server isn't encrypted and can be intercepted and read by hackers. Nowadays, browsers like Chrome, Firefox, etc., display warnings when you access websites using HTTP. This can diminish your website's credibility to users and affect its ranking on search engines.

Using HTTPS (HTTP Secure) means that data sent to the server is encrypted, making it difficult for attackers to exploit sensitive information from those requests. However, it's important to note that accessing a website with HTTPS doesn't guarantee complete security.

To implement HTTPS for your website quickly and easily, you can use Cloudflare. It's a popular third-party service that acts as a proxy between users and your server, providing support for certificates and encryption. Simply sign up for a free Cloudflare account and configure details like your IP address and domain name. Since it's a third-party service, access speed may be slightly slower than usual.


Conclusion

Through this article, you've learned some methods to enhance security for your NodeJS application. These methods are relatively straightforward and can be implemented right away in your current project.

Don't hesitate to leave your thoughts in the comments section, and remember to like, share, and follow for more insightful content in the future!

Comments

Post a Comment

Popular posts from this blog

Kubernetes Practice Series

Image
Introduction Kubernetes (often abbreviated as K8s ) is an open-source system designed to automate the deployment, scaling, and management of containerized applications. This page serves as a collection of articles related to Kubernetes (K8s) , including theoretical concepts and practical guides on using Kubernetes to set up essential tools for the software development process. I will continue to update this series with new articles as ideas come to mind, to ensure the series becomes more comprehensive. The articles are arranged in increasing order of difficulty to make it easier for you to follow. If you have time, it's recommended that you start from the beginning of the series to acquire the necessary knowledge and information that will prepare you for the subsequent articles. Key Topics Covered in This Series Basic Knowledge : Fundamental concepts, common commands, etc. Resources : Pod, Deployment, Service, StatefulSet, Ingress, etc. Pod Autoscaler : Horizontal vs. Vertical sc
Read more

NodeJS Practice Series

Image
Introduction NodeJS is an open-source and cross-platform JavaScript runtime environment . Here are some key points about NodeJS : V8 Engine : NodeJS runs on the V8 JavaScript engine , which is also the core of Google Chrome . This allows NodeJS to be highly performant. Asynchronous and Non-Blocking : NodeJS  uses an event-driven, non-blocking I/O model. It’s lightweight and efficient, making it ideal for data-intensive real-time applications. Single-Threaded : NodeJS  runs in a single process, handling multiple requests without creating new threads. It eliminates waiting and continues with the next request. Common Language : Frontend developers who write JavaScript for browsers can use the same language for server-side code in NodeJS . You can even use the latest ECMAScript standards without waiting for browser updates. This page is designed to compile articles related to NodeJS , including how to integrate it with various libraries and relevant tech stacks. I will continue to u
Read more

Docker Practice Series

Image
Introduction Docker is an open platform for developing, shipping, and running applications. This page is dedicated to compiling articles related to Docker , covering both the theoretical aspects and practical applications of Docker in setting up popular tools essential for software development. I will be updating this series with more articles in the future as new ideas for topics arise. The articles are arranged in increasing order of difficulty, making it easier for you to follow along. If you have the time, I recommend starting from the beginning of the series to ensure that you grasp the necessary knowledge and information needed for the more advanced articles later on. Here are some key topics in the series that you need to explore to effectively use Docker : Basic knowledge Docker commands Docker Compose Building Docker images Performance improvement Integration with CI/CD Once you have a solid understanding of the foundational knowledge, the extended topics (including advanced
Read more

React Practice Series

Image
Introduction React is a JavaScript library created by Facebook , often referred to as the most popular frontend framework today. This page aims to gather articles related to ReactJS , covering topics such as theory, features, and commonly used packages in the process of building ReactJS applications. I will update this series with more articles in the future as new ideas for content come up. The articles are arranged in increasing order of difficulty, so if you have time, it's recommended to start from the beginning of the series. This will ensure you grasp the essential knowledge and information needed for the subsequent articles. Here are some key topics in the series that you need to explore to effectively use ReactJS : Fundamental : React Hook, React Context, Lazy load, etc. State management : redux, mobx, recoil, etc. Middleware libraries : redux-thunk, redux-saga, redux-observable, etc. Popular packages : react-query, immer, styled-components, etc. Rendering techniques : C
Read more

Sitemap

Image
A page aggregator designed for easy reference and search, compiling all blog posts for convenient access.
Read more

Setting up Kubernetes Dashboard with Kind

Image
Introduction In a previous article, I guided you through using Helm to deploy on Google Kubernetes Engine . However, if you want to cut down costs by using Kubernetes in your local environment instead of relying on a cloud provider during development, then Kind is your go-to. There are several tools to help set up Kubernetes locally, such as MiniKube , Kind , K3S , KubeAdm , and more. Each tool has its own pros and cons. In this article, I'll walk you through using Kind to quickly set up a Kubernetes cluster on Docker . Kind stands out for its compactness, making Kubernetes start up quickly, being user-friendly, and supporting the latest Kubernetes versions. Working with Kind Firstly, follow the instructions here to install Kind according to your operating system. If you're using Ubuntu , execute the command: [ $( uname -m ) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.23.0/kind-linux-amd64 chmod +x ./kind sudo mv ./kind /usr/local/bin/ki
Read more

Explaining Async/Await in JavaScript in 10 Minutes

Image
Introduction For a long time, we've relied on callbacks to deal with asynchronous code in JavaScript. As a result, many of us have faced dreadful experiences dealing with deeply nested functions ( callback hell ). Callback hell Callbacks come with a lot of drawbacks. When we have multiple asynchronous operations, callbacks have to wait for each other to execute, prolonging the completion time. Additionally, writing nested callbacks makes our code messy and hard to maintain. In the ES6 (ECMAScript 2015) version, JavaScript introduced Promises. This was a fantastic replacement for callbacks and was quickly embraced by the community. Our new code looks similar to the old one, making it easier to follow and maintain. However, the issues with callbacks weren't completely resolved. Since the ES7 (ECMAScript 2016) version, Async/Await has been added to make asynchronous code in JavaScript look and feel easier to use. What is Async/Await? Async/Await is a feature of JavaScript that
Read more

Deploying a NodeJS Server on Google Kubernetes Engine

Image
Introduction to GKE Google Kubernetes Engine (GKE) is a managed Kubernetes service provided by Google Cloud Platform , facilitating simple and efficient deployment of Docker images. We only need to provide some configuration for the number of nodes, machine types, and replicas to use. Some Concepts Cluster A Cluster is a collection of Nodes where Kubernetes can deploy applications. A cluster includes at least one Master Node and multiple Worker Nodes . The Master Node is used to manage the Worker Nodes . Node A Node is a server in the Kubernetes Cluster. Nodes can be physical servers or virtual machines. Each Node runs  Kubernetes , which is responsible for communication between the Master Node and Worker Node , as well as managing Pods and containers running on it. Pod A Pod is the smallest deployable unit in Kubernetes . Each Pod contains one or more containers, typically Docker containers. Containers in the same Pod share a network namespace, meaning they have the same
Read more

Create API Gateway with fast-gateway

Image
Introduction In this article, I will guide you on how to use fast-gateway to deploy a simple API Gateway on NodeJS along with express . The advantage of an API Gateway is that it acts as an intermediary layer to hide the rest of the system, including services, commonly used in Microservices architecture. Example Usage This is the Microservices model after deployment: First, install the package yarn add fast-gateway Next, define the ports that will be used. import * as express from 'express' import * as gateway from 'fast-gateway' const portGateway = 5000 const portService1 = 5001 const portService2 = 5002 Define service 1 as follows: const startService1 = (): void => { const app = express () app . get ( '/list' , ( req , res ) => { const items = [ { id: 1 , name: 'service 1 value 1' , }, { id: 2 , name: 'service 1 value 2' , }, ] re
Read more

DevOps Practice Series

Image
Introduction DevOps is a combination of development (Dev) and operations (Ops), aimed at uniting people, processes, and technology to enhance the software development lifecycle. Here are some key aspects of DevOps: Collaboration and Communication: DevOps fosters a culture where development, IT operations, quality engineering, and security teams work together seamlessly. Continuous Integration and Continuous Delivery (CI/CD): These practices automate the integration and delivery of code changes, ensuring faster and more reliable software releases¹. Infrastructure as Code (IaC): This approach involves managing and provisioning computing infrastructure through machine-readable scripts, rather than physical hardware configuration¹. Monitoring and Logging: Continuous monitoring and logging help teams to detect issues early and maintain system reliability. Automation: Automating repetitive tasks reduces errors and increases efficiency, allowing teams to focus on more strategic work. By imple
Read more