small medium large xlarge

Secure Your Node.js Web Application: Keep Attackers Out and Users Happy


Cover image for Secure Your Node.js Web Application

Secure Your Node.js Web Application

Keep Attackers Out and Users Happy


Cyber-criminals have your web applications in their crosshairs. They search for and exploit common security mistakes in your web application to steal user data. Learn how you can secure your Node.js applications, database and web server to avoid these security holes. Discover the primary attack vectors against web applications, and implement security best practices and effective countermeasures. Coding securely will make you a stronger web developer and analyst, and you’ll protect your users.

Customer Reviews

Every Node.js team should have Karl’s book under their belt. If you are seasoned
developer entering Node’s ecosystem, this book brings you up to speed with what
you can expect from the darker corners of the Internet.

- Lukáš Linhart

CTO, Apiary, Inc.

The Node.js community has been waiting for a book like this. For all of Node.js’s
ease, it comes at a cost: security. This book eases that cost and removes the oftenoverlooked
downsides of Node.js development.

- Glen Messenger

Chief Information Officer, Ditno

If you want to learn how to secure your Node.js apps, there’s no way around Karl
Düüna’s book. In a clear and concise manner the author shows the ins and outs
of making your Node.js app an impenetrable fortress. Not a Node.js user? No
problem—much of what’s covered in Karl Düüna’s book can be used in other environments
with little change.

- Brian Schau

Developer, Rovsing Applications ApS

A thorough and clear explanation of web app security, from the database to the
app server to the client. Highly recommended for developers of node-based apps!

- Loren Sands-Ramshaw

CTO, @parlay

See All Reviews

Choose Your Format(s)

  • $24.00 In Stock
  • Ebooks are DRM free.

  • Ebook delivery options.

About this Title

Pages: 230
Published: 2016-01-10
Release: P1.0 (2016-01-11)
ISBN: 978-1-68050-085-1

Bake security into your code from the start. See how to protect your Node.js applications at every point in the software development life cycle, from setting up the application environment to configuring the database and adding new functionality. You’ll follow application security best practices and analyze common coding errors in applications as you work through the real-world scenarios in this book.

Protect your database calls from database injection attacks and learn how to securely handle user authentication within your application. Configure your servers securely and build in proper access controls to protect both the web application and all the users using the service. Defend your application from denial of service attacks. Understand how malicious actors target coding flaws and lapses in programming logic to break in to web applications to steal information and disrupt operations. Work through examples illustrating security methods in Node.js. Learn defenses to protect user data flowing in and out of the application.

By the end of the book, you’ll understand the world of web application security, how to avoid building web applications that attackers consider an easy target, and how to increase your value as a programmer.

Top Five Security Tips

by Karl Düüna

Secure the environment
To build a secure system, you need to start from the ground up and invest time in securing the environment. Otherwise your code might be secure, but attackers can still compromise your application by exploiting weaknesses on your servers instead. Make sure you run up-to-date software, have secure authentication mechanisms, run the application under low privileges, and have decent logging.

Validate all input
Hacking in general means finding an unexpected usage for a system by introducing an unexpected input. The best way to defend yourself is to allow as narrow of an input range as possible. It is equally important to always validate that there is a match between the input and your expectations.

Secure your data
Data and databases are a critical part of most web applications and therefore a prime target for attackers. While Node.js applications might be more inclined towards NoSQL, the principles of data protection are the same: always use authentication mechanisms, use varying levels of access, separate your customers’ data as much as needed or possible, and encrypt the important parts of the database.

Protect your clients
Clients are probably the most valuable asset of your web application—they use the system and bring in the business. So it is natural that you must protect them with the same vigilance. This, alongside other defenses, means you must invest in protecting the client side of your application, including setting up CSRF and XSS defenses, protecting against clickjacking and unvalidated redirects.

Implement “Defense in Depth”
Cyber-defense is an asymmetrical problem: while crackers need only one of their attacks to succeed, you need all of your defenses to hold. This is unrealistic, which is why you should always opt for “Defense In Depth.” Never assume that the outer defenses of your application are impenetrable. Instead, set up layers upon layers of defensive mechanisms. Even if the attacker manages to get through one layer, the damage they can do is limited.

What You Need

In this book we will be using mainly Node.js. The book covers the basics of JavaScript and Node.js. Since most Web applications have some kind of a database backend, examples in this book work with some of the more popular databases, including MySQL, MongoDB, and Redis.

Contents & Extracts

  • Preface
    • Who Should Read This Book?
    • What’s in This Book?
    • Online Resources
  • Meet Your Tools
    • Meet Node.js
    • Meet JavaScript
    • Wrapping Up
  • Set Up the Environment
    • Follow the Principle of Least Privilege
    • Start with the Basics: Secure the Server
    • Avoid Security Configuration Errors
    • Wrapping Up
  • Start Connecting
    • Set Up Secure Networking for Node.js Applications
    • Decide What Gets Logged
    • Don’t Forget About Proper Error Handling
    • Wrapping Up
  • Avoid Code Injections
    • Identify Code Injection Bugs in Your Code
    • Avoid Shell Injection in Your Application
    • Wrapping Up
  • Secure Your Database Interactions
    • Start with the Basics: Set Up the Database
    • Separate Databases for Better Security
    • Identify Database Injection Points in Your Code
    • Avoid SQL Injection Attacks
    • Mitigate Injection Attacks in NoSQL Databases
    • Wrapping Up
  • Learn to Do Things Concurrently
    • A Primer on Concurrency Issues
    • Ways to Mitigate Concurrency
    • Concurrency with MongoDB Explained
    • Concurrency with MySQL Explained
    • Wrapping Up
  • Bring Authentication to Your Application
    • Store the Secret in a Safe Place
    • Enforce Password Strength Rules on Your Users
    • Move the Password Securely to the Server
    • Deal with the Fact That Users Will Forget
    • Add Other Authentication Layers for Better Security
    • Wrapping Up
  • Focus on Session Management
    • Set Up Sessions for Your Application
    • Anonymize the sessionID Used
    • Let the Session Die, aka Set a Time-to-Live
    • Secure the Cookies so No One Can Steal Them
    • Re-create the Session When the User Logs In
    • Bind the Session to Prevent Hijacking
    • Wrapping Up
  • Set Up Access Control
    • Access Control Methods
    • Missing Function-Level Access Controls in Your Code
    • Don’t Use Insecure Direct Object References
    • Wrapping Up
  • Defend Against Denial-of-Service Attacks
    • Recognize Denial-of-Service Attacks
    • Avoid Synchronous Code in Your Application
    • Manage How Your Application Uses Memory
    • Avoid Asymmetry in Your Code
    • Wrapping Up
  • Fight Cross-Site Scripts
    • Recognize Different Types of XSS
    • Prevent XSS Through Configuration
    • Sanitize Input for Reflected/Stored XSS
    • Sanitize Input for DOM XSS
    • Wrapping Up
  • Avoid Request Forgery
    • Follow the Logic to Protect Against CSRF
    • Synchronize Your Tokens as Part of CSRF Protection
    • O Request, Where Art Thou From?
    • Avoid Setting Up Common CSRF Pitfalls in Your Code
    • Wrapping Up
  • Protect Your Data
    • Understand Your Application’s Data Flow
    • Protect the Client Application and Data
    • Securely Transfer Data in Your Application
    • Secure the Data Stored Within Your Application
    • Wrapping Up
  • Secure the Existing Codebase
    • Perform a Risk Assessment First
    • Test Your Application’s Code Quality
    • Analyze Your Application’s Data Flow
    • If Nothing Else, Use a Helmet
    • Clean the Modules You Use in Your Code
    • Test Your Application Security Thoroughly
    • Wrapping Up
    • Where to Go from Here


Karl Düüna is a technology- and security–oriented application developer. He graduated cum laude with a Mechatronics B.A and Cyber Security M.A from Tallinn University of Technology. He is co-founder and owner of several technology-oriented companies.