Introduction
Many backend endpoints are written in NodeJS and it is crucial for us to protect our endpoints. A quick and simple way to do so would be to use middlewares.
Middleware
Middlewares allow us intercept and inspect requests, which makes it ideal for logging, authentication and inspecting requests. Here are 6 security middlewares which you can embed into your NodeJS project to secure it.
Helmet
The Helmet package sets security headers in our API responses. These headers provide important security-related instructions to the browser or client about how to handle the content and communication, thus helping to prevent various types of attacks.
CORS
The CORS package allows us to whitelist domains, controlling access to our web resources.
Express XSS Sanitizer
This package sanitizes user input data to prevent Cross Site Scripting (XSS) attacks
Express Rate Limit
If your Backend Servers are not fronted with a Web Application Firewall (WAF) or protected by DDoS mitigation services, you should definitely install this package to protect your endpoints from getting spammed by setting rate limits.
Express Mongo Sanitizer
This package sanitizes user-supplied data to prevent MongoDB Operator Injection.
HPP
As Express populates HTTP request parameters with the same name into an array, attackers may pollute the HTTP parameters to exploit this mechanism.
Sample Code on Usage
const express = require('express');const app = express();const cors = require("cors");const helmet = require("helmet");const { xss } = require("express-xss-sanitizer");const rateLimit = require("express-rate-limit");const hpp = require("hpp");const mongoSanitize = require("express-mongo-sanitize");// Rate limit // Trust the X-Forwarded-* headersapp.set("trust proxy", 2);const IP_WHITELIST = (process.env.IP_WHITELIST || "").split(",");const limiter = rateLimit({ windowMs: 10 * 60 * 1000, // 10 mins max: 500, // Limit each IP to 500 requests per 10 mins standardHeaders: true, //Return rate limit info in the `RateLimit-*` headers legacyHeaders: false, // Disable the 'X-RateLimit-*' headers skip: (request, response) => IP_WHITELIST.includes(request.ip),});app.use(limiter);//Sanitize dataapp.use(mongoSanitize());//Set security headersapp.use(helmet());//Prevent XSS attacksapp.use(xss());//Prevent http param pollutionapp.use(hpp());//CORSconst whitelist = ['http://localhost:4000']; const corsOptions = { origin: function (origin, callback) { if (whitelist.indexOf(origin) !== -1) { callback(null, true) } else { callback(new Error('Not allowed by CORS')) } }}app.use(cors(corsOptions));
Top comments(0)
For further actions, you may consider blocking this person and/orreporting abuse