Screen Shot 2018-10-07 at 1.09.09 PMA post by Akshay Gulhane, MSCS from Binghamton University.

Security is of the utmost importance for the web applications. So let’s discuss some of the security features that every developer should implement while developing an app:

1. Input Validation at Client and Server Side

A hacker can use special characters to exploit JavaScript (or different injections) and can get root access to the application. So it’s always a better idea to validate user input at the client as well as server-side to prevent attackers from inputing any scripts in the input fields.

An Example of how to implement this in Server Side (Node.js) —

The Node Package Manager (npm) has a very easy to use a library called “express-sanitizer”. This is how we can implement it 

const express = require('express');

var expressSanitizer = require('express-sanitizer');
var bodyParser = require('body-parser');

const app = express();
const router = express.Router();
const PORT = process.env.PORT || 3001; 

app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));

// Mount express-sanitizer here
app.use(expressSanitizer());

app.post('/', function (req, res, next) {
    // replace an HTTP posted body property with the sanitized string
    req.body.sanitized = req.sanitize(req.body.propertyToSanitize);
    // send the response
    res.send('Your value was sanitized to: ' + req.body.sanitized);
});

app.listen(PORT, function() {
    console.log(`Server started....`)
});

On the client side —

It is always a good choice to restrict the input of the fields.

For Example, a “Date of Birth” field should only take input as numbers. You the programmer should put “-” or “/” characters in between the numbers.


2. Do not use libraries with known vulnerabilities

An attacker can use the vulnerabilities in known libraries to exploit the system. The best way to find out any vulnerabilities in the Node.js is by running a security audit.

This is available in npm v6 and above.

To run the audit we can use:

npm audit

To fix (almost all) the issues from the security audit, we can use:

npm audit fix


3. Rate Limit the APIs

Rate limiting prevents the APIs from hackers or bots. Even though this should be handled at the firewall, having a validation at the server side helps us secure the APIs.

Below is the example of how to implement the Rate Limiter in Node.js 

const express = require('express');
const RateLimit = require('express-rate-limit');

const limiter = new RateLimit({
    windowMs: 15 * 60 * 1000, // 15 minutes
    max: 100, // limit each IP to 100 requests per windowMs
    delayMs: 0 // disable delaying - full speed until the max limit is reached
});

app.use(limiter);

4. Don’t Reveal Server Information

Revealing the server banner can help the hackers to get the information about your server. There are known vulnerabilities in some versions of Apache httpd, nginx etc.

Changing the server banner is easy and can be done in the server configuration.

Bad: Revealing Server Information
Bad: Revealing Server Information

Good: No Server Information is provided
Good: No Server Information is provided

I hope this post is useful and can help secure your application in Production.

P.S.: I’ll keep on adding/updating this article. If you have any suggestions, do let me know on Twitter!