Let’s talk SecuritySecuring Your Node.js App

Dheeraj Joshi@dheerajhere

● Front-End @

● Open Source (medium-cli)

● Ambidextrous TT Player

About Me

More...

I wear White Hat.

Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon, etc.

What makes me happy?

Agenda

● Why ?

● Cross-site Scripting (XSS)

● Cross-site Request Forgery (CSRF)

● Content Security Policy (CSP)

● Useful Headers

● Other Best Practices

● Demo

Why should Startups Care about Security?

Startups & SMEs are known to cut corners. One of the first things they cut is ‘Security'.

Github Reused password attack

HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS

The Shutdown

CROSS SITE SCRIPTING - XSS

● XSS attack users

● “Javascript Injection”

● Exploits can be bad,

really bad..

What is XSS?

Typical Reflected XSS

Stored XSS

Protect Yourself

● Input Validation

● Ensure that outputs are

HTML encoded

● Don’t reinvent the wheel

(Use proven sanitizers)

Content Security Policy (CSP)

Add Content Security Policy header

● Add HTTPOnly, Secure attributes on Session Cookie

CROSS-SITE REQUESTFORGERY (CSRF)

Because the attack is carried out

by the victim, CSRF can bypass:

● HTTP Auth

● Session-based auth

● Firewalls

CSRF Attacks

Prevention

● Only accepting POST requests

● Referer Protection

● Multi-Step Transactions

● URL Rewriting

● application/json

“CSRF Myths”Preventions that Won’t work

XSS + CSRF = ? (Demo)

List of useful HTTP headers

● Strict-Transport-Security:

max-age=16070400; includeSubDomains

● X-Frame-Options: deny

● X-XSS-Protection: 1; mode=block

Prevent Information Disclosure

Hide X-Powered-By

Or try this ;)

How to improve ?

● SECURITY.md

● Security Middleware

(helmet.js, kraken.js )

● OWASP Node Goat

Project

● NSP, Snyk

Questions ?

Thank you

@dheerajhere

@djadmin