Saturday, May 23 2020

How to Make Your App Save and Secure from Security Issues

In this article explain about How to Make Your App Save and Secure from Security Issues  like DOS Attacks, XSS, SQL/NoSQL Injection Attacks and similar. These attacks are very harmful and we need to make the application secure as much as possible. Here are the list of attacks mentioned in the below.

List of Attacks:

  1. Daniel of service(DOS) Attacks
  2. Cross-site scripting(XSS) Attacks
  3. Brute force Attacks
  4. SQL/NoSQL Injection Attacks

Daniel of service(DOS) Attacks:

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

Preventing DOS Attacks:

First, You can limit the body payload using body-parser package. If you’re using express js you can update with the following content:

const express = require('express');
const app = express();

app.use(express.json({ limit: '10kb' })); // Body limit is 10

Another useful feature is express-rate-limit dependency. This dependency lets you set rate limit for users. So basically, you can set maximum amount of requests for each user, after user uses all of his requests, you can lock him out for certain amount of time.

npm install express-rate-limit

const limit = rateLimit({
    max: 100,// max requests
    windowMs: 60 * 60 * 1000, // 1 Hour
    message: 'Too many requests' // message to send

app.use('/{routeName}', limit); // Setting limiter on specific route

Cross-site scripting(XSS) Attacks:

XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. Attacker can gain access to cookies, session tokens or and other sensitive data.

Preventing XSS Attacks:

xss-clean dependency will prevent users from inserting HTML & Scripts on input.

npm install xss-clean

// Data Sanitization against XSS

Helmet is a collection of 12 smaller middleware functions that set HTTP response headers. You can check this link to see other middleware functions.

npm install helmet


Brute force Attacks:

In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.

Preventing Brute force Attacks:

  1. If you are using ExpressJS, you could implement express-rate-limit dependency.
  2. You could implement bcrypt dependency. Bcrypt will encrypt sensitive data such as passwords and it will make them harder to guess.
  3. implementing 2-Step verification process, or two-factor authentication.

SQL/NoSQL Injection Attacks:

These take advantage of poor sanitization of user input when building database queries. With SQL/NoSQL Injection Attacks, attackers can bypass authentication, authorization, retrieve the content of the entire SQL/NoSQL database, add, modify, delete data in database.

Preventing SQL/NoSQL Injection Attacks:

SQL or NoSQL database, you should sanitize your data.

npm install express-mongo-sanitize


Final, your app.js file look like this

// Importing Dependencies
const express = require('express');
const rateLimit = require('express-rate-limit');
const helmet = require('helmet');
const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');const app = express();

// Helmet
app.use(helmet());// Rate Limiting

const limit = rateLimit({
    max: 100,// max requests
    windowMs: 60 * 60 * 1000, // 1 Hour of 'ban' / lockout 
    message: 'Too many requests' // message to send

app.use('/routeName', limit); // Setting limiter on specific route

// Body Parser
app.use(express.json({ limit: '10kb' })); // Body limit is 10

// Data Sanitization against NoSQL Injection Attacks

// Data Sanitization against XSS attacks

Read article about Building a Restful CRUD API with Node.js Express and MongoDB

Share Your Thoughts


I’m Blogger and Programming Blog, Tutorials, PHP, MySQL, jQuery, Laravel, Wordpress and Codeigniter