In this article explain about How to Make Your App Save and Secure from Security Issues like DOS Attacks, XSS, SQL/NoSQL Injection Attacks and similar. These attacks are very harmful and we need to make the application secure as much as possible. Here are the list of attacks mentioned in the below.
List of Attacks:
- Daniel of service(DOS) Attacks
- Cross-site scripting(XSS) Attacks
- Brute force Attacks
- SQL/NoSQL Injection Attacks
Daniel of service(DOS) Attacks:
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
Preventing DOS Attacks:
First, You can limit the body payload using body-parser package. If you’re using express js you can update with the following content:
const express = require('express');
const app = express();
app.use(express.json({ limit: '10kb' })); // Body limit is 10Another useful feature is express-rate-limit dependency. This dependency lets you set rate limit for users. So basically, you can set maximum amount of requests for each user, after user uses all of his requests, you can lock him out for certain amount of time.
npm install express-rate-limit
const limit = rateLimit({
max: 100,// max requests
windowMs: 60 * 60 * 1000, // 1 Hour
message: 'Too many requests' // message to send
});
app.use('/{routeName}', limit); // Setting limiter on specific routeCross-site scripting(XSS) Attacks:
XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. Attacker can gain access to cookies, session tokens or and other sensitive data.
Preventing XSS Attacks:
xss-clean dependency will prevent users from inserting HTML & Scripts on input.
npm install xss-clean // Data Sanitization against XSS app.use(xss());
Helmet is a collection of 12 smaller middleware functions that set HTTP response headers. You can check this link to see other middleware functions.
npm install helmet app.use(helmet());
Brute force Attacks:
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
Preventing Brute force Attacks:
- If you are using ExpressJS, you could implement express-rate-limit dependency.
- You could implement bcrypt dependency. Bcrypt will encrypt sensitive data such as passwords and it will make them harder to guess.
- implementing 2-Step verification process, or two-factor authentication.
SQL/NoSQL Injection Attacks:
These take advantage of poor sanitization of user input when building database queries. With SQL/NoSQL Injection Attacks, attackers can bypass authentication, authorization, retrieve the content of the entire SQL/NoSQL database, add, modify, delete data in database.
Preventing SQL/NoSQL Injection Attacks:
SQL or NoSQL database, you should sanitize your data.
npm install express-mongo-sanitize app.use(mongoSanitize());
Final, your app.js file look like this
// Importing Dependencies
const express = require('express');
const rateLimit = require('express-rate-limit');
const helmet = require('helmet');
const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');const app = express();
// Helmet
app.use(helmet());// Rate Limiting
const limit = rateLimit({
max: 100,// max requests
windowMs: 60 * 60 * 1000, // 1 Hour of 'ban' / lockout
message: 'Too many requests' // message to send
});
app.use('/routeName', limit); // Setting limiter on specific route
// Body Parser
app.use(express.json({ limit: '10kb' })); // Body limit is 10
// Data Sanitization against NoSQL Injection Attacks
app.use(mongoSanitize());
// Data Sanitization against XSS attacks
app.use(xss()Read article about Building a Restful CRUD API with Node.js Express and MongoDB
