ruichen199801
commented
1 year ago Security practices so far:
- Use Helmet to secure HTTP headers :white_check_mark:
-
65
-
- Protect cookies :white_check_mark:
- Use
cookie-session(more lightweight compared toexpress-sessionas we only want to store the user in cookie) - Set cookie keys and expire time (30 days)
- Use
- Secure dependencies :x:
- Use
npm auditto get report. Currently our dependency vulnerabilities are all related to using the older version ofpassport, which is necessary for third party auth to work
- Use
- Validate user inputs :white_check_mark:
- Frontend UI validation (e.g. input cannot be null in login/signup form)
- Backend validation using
joiwithexpress-joi-validation - Input sanitizing is not considered
- Handle errors :white_check_mark:
- Frontend: hooks try-catch, redirect to landing page, 404 page, error messages
- Backend: routes try-catch, http status codes
- Protection against CSRF :x:
- the most popular
csurfis deprecated, and there seems to be no good substitute npm package for now
- the most popular
- Protect against brute force attacks :white_check_mark:
- Use
express-rate-limit: #67
- Use
- Control user access :white_check_mark:
- Login with local strategy and third-party OAuth
- Frontend page: user page and analytics page can only be visited by logged in users
- Backend route protection: only accessible when
req.userexists
- Others :white_check_mark:
- Password hashing
- Use environment variables to secure sensitive data, such as API keys and secrets
- Use placeholders instead of variable interpolation to prevent SQL injection attacks
- Heroku deployment (handles https, SSL certificate, monitoring throughput, memory, response time, etc.)
Take measures to make the express app more secure.
Use this as a checklist: https://www.freecodecamp.org/news/express-js-security-tips/amp/