Saturday, May 23 2020
In this article explain about How to Make Your App Save and Secure from Security Issues like DOS Attacks, XSS, SQL/NoSQL Injection Attacks and similar. These attacks are very harmful and we need to make the application secure as much as possible. Here are the list of attacks mentioned in the below.
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
First, You can limit the body payload using body-parser package. If you’re using express js you can update with the following content:
const express = require('express'); const app = express(); app.use(express.json({ limit: '10kb' })); // Body limit is 10
Another useful feature is express-rate-limit dependency. This dependency lets you set rate limit for users. So basically, you can set maximum amount of requests for each user, after user uses all of his requests, you can lock him out for certain amount of time.
npm install express-rate-limit const limit = rateLimit({ max: 100,// max requests windowMs: 60 * 60 * 1000, // 1 Hour message: 'Too many requests' // message to send }); app.use('/{routeName}', limit); // Setting limiter on specific route
XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. Attacker can gain access to cookies, session tokens or and other sensitive data.
xss-clean dependency will prevent users from inserting HTML & Scripts on input.
npm install xss-clean // Data Sanitization against XSS app.use(xss());
Helmet is a collection of 12 smaller middleware functions that set HTTP response headers. You can check this link to see other middleware functions.
npm install helmet app.use(helmet());
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
These take advantage of poor sanitization of user input when building database queries. With SQL/NoSQL Injection Attacks, attackers can bypass authentication, authorization, retrieve the content of the entire SQL/NoSQL database, add, modify, delete data in database.
SQL or NoSQL database, you should sanitize your data.
npm install express-mongo-sanitize app.use(mongoSanitize());
Final, your app.js file look like this
// Importing Dependencies const express = require('express'); const rateLimit = require('express-rate-limit'); const helmet = require('helmet'); const mongoSanitize = require('express-mongo-sanitize'); const xss = require('xss-clean');const app = express(); // Helmet app.use(helmet());// Rate Limiting const limit = rateLimit({ max: 100,// max requests windowMs: 60 * 60 * 1000, // 1 Hour of 'ban' / lockout message: 'Too many requests' // message to send }); app.use('/routeName', limit); // Setting limiter on specific route // Body Parser app.use(express.json({ limit: '10kb' })); // Body limit is 10 // Data Sanitization against NoSQL Injection Attacks app.use(mongoSanitize()); // Data Sanitization against XSS attacks app.use(xss()
Read article about Building a Restful CRUD API with Node.js Express and MongoDB