How to Build a Secure Web Application With Node.JS

You need to build a web app, and you’ve decided Node.JS is the right tool to build it. But, you’ve heard the horror stories of applications – or even entire companies – being robbed and humiliated by attackers. What do you do?

I’m going to outline some of the security threats encountered by every developer, technical cofounder, or VP of engineering that wants to develop a node.JS application. We’ll discuss some web security strategies for your business, and even some Node.JS security best practices and code to get you started right away.

Is Node.JS Good for Security?

Node.JS can be a great choice to create a secure web app. Many great companies use node.JS for web development; it has a great community, awesome frameworks, and server-side Javascript that has proven to be great for real-time applications. It is one of the top 4 languages in the cloud, and supported by most of the platform-as-a-service providers – making it a great choice for startups.

But, Node.JS is vulnerable to many of the same threats as every other language used on the web. First, let’s take a look at some facts about web app security breaches.

The Punishing Cost of Security Failures

Software security experts and attackers are in a constant arms race. This means that right now, the state of web security isn’t any better than it seemed 20 years ago.

the_net

As more and more of our lives, connections, information, and money move online, the threat from security breaches escalates. The Ponemon Institute Cost of a Data Breach Study demonstrates how a data breach can cost millions of dollars, with the average cost of each lost or stolen data record to be $158 dollars.

How many data records do you plan to have on your system? And in a worst-case scenario, how much could a data breach cost you? If you do the math, you will probably find the potential damage to be frightening. And things are only going to get worse.

Download Our Project Specification Template

The Verizon Data Breach Investigation Report for 2016 found that attacks on web applications accounted for 40% of all incidents resulting in a data breach, and were the single biggest source of data loss. When you consider that web apps made up only 8% of reported incidents, you quickly realize how vulnerable they can be.

If you are building a custom web application, then world-class security protection is not just important – it is absolutely essential. So in this demanding environment, do you stand a chance of succeeding with your web app?

Yes. But you need to be one of the few companies that truly takes security seriously. This is not a just a problem for your developers or your security team; it’s a problem for all levels of management.

A Secure Web App Requires More Than Just Code

With the security of the app being so important to your bottom line, you need to take it seriously. You’ll need great code of course, but you will also need higher level strategies

  • Ongoing system for detecting vulnerabilities
  • An action plan for when a breach does occur

These will need to be built into your business plan and be understood by everyone, not just the developers. With that in mind, let’s take a look at how you can start protecting your app.

Protecting Against the Most Common Attacks

sparta

In Node.JS application development, you’ll find the most common types of attack are

  • SQL Injection
  • Cross-site scripting (XSS)
  • Brute force

Let’s take a look at some examples and how you can deal with these. The following is not exactly a Node.js security checklist, but it’s a place to start.

SQL Injection Attacks

An SQL injection attack is where an SQL query is ‘injected’ into your web apps database. Once inside, the malicious code can read information and do damage.

Essentially, attackers are trying to disguise malicious code as input data. A great way to prevent this is with prepared statements. Rather than building a statement with user input variables, you’ll write out the SQL statement first, then add the user input. Using node-postgres it might look something like this:

var q = ‘SELECT name FROM books WHERE id = $1’;
client.query(q, [‘3’], function(err, result) {});

A great tool for checking SQL injection vulnerabilities is sqlmap. They describe it as “an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws”. Use it on your application to check for any mistakes!

Cross-Site Scripting Attacks (XSS)

This type of attack has been around since the 90s, and is now becoming a huge problem for developers. Cross-site scripting is another type of injection attack, which occurs when an attacker inputs malicious code into a legitimate website by exploiting user inputs.

Think of a website where you can view other users profiles. Now, imagine one of the users has some malicious code in his username. If the site is poorly coded, when you view the profile it will read the username and actually run the malicious code!

This type of attack is much more common that most web developers like to admit. Luckily, you can make it much more difficult for attackers with a few simple steps.

Setting the correct HTTP headers is a good place to start. The headers you will need are

Read How We Helped a Marketing Company to Build a Back-Office Custom Ads Dashboard

  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy

In Node.JS, you can use the helmet module to set these. It’s a collection of 11 modules that you can just drop into your app to boost security against this type of attack.

Here’s a basic set it up:

var express = require(‘express’)

var helmet = require(‘helmet’)

var app = express()

app.use(helmet())

Brute Force Attacks

helms_deep_orcs-on-wall

Probably the simplest form of attack, this one involves trying every possibility to find a solution. In your web app, this could mean finding a password by checking millions of likely passwords. To protect against this you need to slow down the rate an attacker can make guesses.

Node.JS you can use the express-limiter package designed just for this. There are a few too many details to describe here, but check out the package to get an idea of how it might fit into your application.

In addition to this, protecting against brute force requires a good password policy, such as

  • Forcing users to have strong passwords
  • Using multi-factor authentication
  • Having a secure password recovery process

A strong password is difficult to crack, but multi-factor authentication is becoming more and more essential.

Password recovery processes are often overlooked. Many apps allow you retrieve or reset a password via email with no extra security checks. This means someone with access your email has access to any account with email recovery. Obviously, this is a bad thing, and you don’t want your app to be in this group. There are a few solutions. One way to avoid this could be a secret question and answer sequence.

Keeping Your App Secure – Long Term

Of course, there are many more types of attack, and we’ve just scratched the surface of how to make a secure Node.JS web application – there are entire books written on the subject. If you want to create an app on a larger scale, you will need either a lot of time or a team of skilled developers. Some of your options include

  • Spend a LOT of time learning web app security yourself
  • Hire a Freelance Developer
  • Hiring a team of In-house developers
  • Use a Development team

If your app is fairly complex, you can forget about doing it yourself or even hiring a freelancer. Developing and maintaining a secure web app involves too much work for any individual. This means your next step will probably be to find the right team.

Jesse Eisenberg, left, and Joseph Mazzello in Columbia Pictures' "The Social Network."

If you don’t have an in-house team and you aren’t keen on building one, check out our post on mobile development outsourcing (most of it applies to web apps too). This will give you an insight into some of the considerations, and the associated costs.

Conclusion

Security should be built into the core of every web app. The risks are becoming too great and the consequences are too severe. Node.JS can be great for developing a secure web application, and it has some great tools for you to get started right away.

But, keeping your Node.JS web application secure long term will require consistent effort and dedicated resources. If you fail to make this commitment, your web app – and possibly your business – may well become another security breach statistic.

Sam Palmer

Sam Palmer

Web Developer and Tech Writer
Sam Palmer

Latest posts by Sam Palmer (see all)