[Node.js] Securing your applications Part 3/3
This is a 3-part blog series on Node.js. This article aims to establish a Node.js security roadmap by addressing security challenges comprehensively and consistently for large infrastructures.
- Part One: About Node.js, What does NodeSource do?, Understanding How Node.js Works, Understanding How N|Solid Works.
- Part Two: Security Principles & N|Solid Security
- Part Three: TIPS AND TRICKS on security in Node.js, Node.js Security in Architecture, Node.js Security in Development, Node.js Security in Deployment.
Let’s begin! 🚀
TIPS AND TRICKS on security in Node.js:
One of the advantages of Node.js is installing additional modules, which provides more opportunities to open back doors from a security point of view. Additionally, the more popular the framework, the more chances hackers will try to find vulnerabilities. Therefore, you should always take Node.js security seriously.
We have collected some practices in conversations with our engineers according to the development stages of the applications in Node.js. We will start with the architecture stage because from the conception and conformation of our project, we must think holistically about security.
Node.js Security — Architecture
The best way to start designing your application is never to leave the ‘Emerald Rule’ aside, this step may seem obvious, but a good design of your application can make a difference. Always think from the beginning about security and scalability. The modular mindset in software design will help you understand the parts and their relationships to create the best experience both from the technical point of view and the user.
The main objective of any Node.js project structure is to help you:
- Write clean and readable code
- Write reusable pieces of code across our application
- Avoid repetition
Create new features without disrupting existing code
The simple rules to follow in architecture will be:
- Create a folder structure for your project 🗂
- Separate business logic and API routes 🧳
- Use a service layer 🧁
- Use a config folder for configuration files ⚙️
- Create a scripts folder especially for long npm scripts 📜
- Use dependency injection 💉
Node.js Security — Development
We can also implement unit testing for our project when you have dependency injection under your belt. Testing is a critical stage in developing our applications. The whole flow of the project — not just the final result — depends on it since buggy code would slow down the development process and cause other problems.
Good practices for the development of your application to keep in mind, always thinking about security are:
- Testing all the time 🧪
- Use another layer for third-party services calls 🎉
- Use the proper tools 🛠️
- Use a style guide 💅
- Test your code 👩💻
- Comment your code 📝
- Keep an eye on your file sizes 👀
- Use gzip compression 🗜️
- Use promises 🤝
- Use promises’ error handling support ⚠️
Node.js Security — Deployment
Deployment is no different, we are getting closer to serving our application to the end-user, and we must not lower our guard. It will be time to review our application and review the best practices implemented and the perfect opportunity to use an APM to help us improve the performance and security of our application in Node.js. An excellent opportunity to try [N|Solid]
At Nodesource, we use the CI/CD method to develop our product; this consists of introducing automation to each of the stages of code development, from testing and static analysis of the code to delivery and deployment. Therefore, we can divide our tips into continuous integration and continuous delivery/deployment. If you want to know more about these concepts, we recommend you to read this documentation.
- Run automatic vulnerability scanning
- Use security linters
- Discovering errors early to reduce downtime
- Lock dependencies 🔑
- Examine for vulnerable dependencies
Continuous Delivery / Deployment:
- Avoid secrets in config files
- Don’t run Node.js as root
- Protect and observe your Node.js apps in production
- Ensure error management best practices are met 🚨
- Tick the obvious security boxes ✅
- Create a private network (VPC, VPN) to SSH within your systems
- Avoiding SQL injection attacks
- Use stored procedures or parameterized queries
- HTTP headers and using cookies securely.
Finally, we wish you luck and manage to navigate the world of Nodejs. If you have questions, you can contact us at firstname.lastname@example.org or through this form. ; we will be happy to support your Node.js Journey! 💚