Node.js Security Checklist

Abstract:  Preface Security is always a problem that cannot be ignored. Many people admit this, but few really take it seriously. So we've put together this checklist for you to do a security check before deploying your app into production for millions of users. Most of the security items listed below are universal and applicable to various languages ​​and frameworks except Node.js.

foreword

Security is always an issue that cannot be ignored. Many people admit this, but few really take it seriously. So we've put together this checklist for you to do a security check before deploying your app into production for millions of users.

Most of the security items listed below are universal and apply to Node.jsall languages ​​and frameworks. However, it also contains some Node.jsgadgets for writing.

Configuration management

Security related HTTP headers

Here are some security-related HTTP headers that your site should set:

• Strict-Transport-Security: Force a secure connection (HTTPS over SSL/TLS) to connect to the server.

• X-Frame-Options: Provides protection against "clickjacking".

• X-XSS-Protection: Enables the built-in filtering function for cross-site scripting (XSS) attacks built into most modern browsers.

• X-Content-Type-Options: Prevents the browser from using MIME-sniffingto determine the type of response, and uses explicit content-typeto determine instead.

• Content-Security-Policy: Protects against cross-site scripting attacks and other cross-site injection attacks.

In Node.js, these can be easily set up by using the Helmet module:

1. var express = require('express');
2. var helmet = require('helmet');
3.  
4. var app = express();
5.  
6. app.use(helmet());

HelmetIn Koa Chuya Noh use: koa-helmet.

Of course, in many architectures, these headers are set in the configuration of the web server (Apache, nginx), not in the application code. If configured through nginx, the configuration file will be similar to the following example:

1. # nginx.conf
2.  
3. add_header X-Frame-Options SAMEORIGIN;
4. add_header X-Content-Type-Options nosniff;
5. add_header X-XSS-Protection "1; mode=block";
6. add_header Content-Security-Policy "default-src 'self'";

A complete example can be found in this nginx configuration.

If you want to quickly confirm whether your website is setting these HTTP headers, you can check online through this website: http://cyh.herokuapp.com/cyh.

Client Sensitive Data

When deploying your front-end application, make sure not to expose sensitive data like keys in your code, which will be visible to everyone.

现今并没有什么自动化检测它们的办法，但是还是有一些手段可以用来减少不小心将敏感数据暴露在客户端的概率：

• 使用pull request更新代码

• 建立起code review机制

• ​​​​​​​

原文链接