Skip to main content

Node.js is one of the most popular open-source JavaScript runtime environments. Many developers use it to create high quality apps that make people live easier. There are a lot of things you can learn to optimized Node.JS, but in this article we will mainly discuss how you can improve your security. We have listed several best practices that are very popular among Melbourne web developer community. These might not cover all of the things about Node.JS security but it is a good place to start.

Avoid JavaScript Eval Statements

In our opinion, we should avoid using eval function in any code. And we have good reasons to support our claim. Number one, attackers can easily inject malicious code into eval and number two, it has slow performance. There are some other similar functions you might want to avoid, such as new Function constructor, setTimeout and setInterval. New function constructor takes one or more string arguments for parameter names and code to run. And just like eval, it allows people to run code from a string, which means people can run anything with strings. We’ve reduced lots of risks for cross-site scripting attacks when we eliminate these constructs. Because they cannot malicious content via these constructs.

Prevent Brute-Force Attacks Against Authorization

Rate limiting sites or apps login routes can provide us with additional security. It will limit attackers failed login attempts in a period of time. So, they won’t be able to make enough guesses to successfully To do this, we can check the IP address or the ID or name of the computer that’s trying to log in.

Use express-brute to add brute force protection to an app. Then when an attack hits the route too often, then the attacker will get a 429 response indicating the route has been hit too many times from the same origin.

Avoid Module Loading Using a Variable

Ideally, variables should not be used to load a module. Because it will loosen our apps security by giving chances for attackers to inject malicious code our app and run it. The same principle also applies to any process that require accessing files like reading files. Eslint-plugin-security can detect this and stop you from committing such changes.

Prevent RegExp From Overloading Single Thread Execution

It is inefficient to run Regular expression processing in JavaScript. It can easily be interrupted by a single request that validates a few words. Therefore, we recommend you to use validator.js or other third party validation packages instead of writing our own regex patterns. Also, we should make use of safe-regex to detect vulnerable regex patterns.