cross icon

5 tips to make your Nodejs backend secure

Updated on:Sep 10, 2022Read time: 4 min
mainImg
“Security is not a product, but a process.”
Bruce Schneier, American Cryptographer

MyFitnessPal, a popular diet and fitness app owned by Under Armour was hacked in March 2018 affecting 150 million user accounts. Hackers were able to access the backend database and retrieved usernames, email addresses, and hashed passwords. One year after the breach, the data was put for sale on the dark web.

Instances like these re-emphasize the need for securing your website's backend database - the powerhouse responsible for storing and securing data. According to a report by Acunetic, 26% of websites have high-security vulnerabilities, and a staggering 63% have medium-security vulnerabilities.

By implementing the five tips we share in this article, you would be able to level up the security of your Node.js backend. Let's get started.

Use TypeORM to safeguard against SQLi attacks

SQL injections (or SQLi) attacks have been around for almost two decades and continue to be the most popular choice for attackers to break into Web applications. According to a report by Akami, SQL injection (SQLi) now represents nearly two-thirds (65.1%) of all Web application attacks.

During an SQL injection attack, an attacker supplies malicious SQL queries into entry fields like website forms which may be executed by the database giving access to sensitive information.

For instance, DVWA is a vulnerable web application developed for testing purposes using PHP and MySQL that allows users to extract information from the database using SQL injection.

In DVWA, we can see a text field where it asks for the User ID. If we enter the number 1 and click submit, the query gets executed by the database and returns the user's first name and surname with ID=1.

dvwa.png

To safeguard your website from SQL injection attacks, it is recommended to use TypeORM in your backend for working with databases. One of the most powerful features of TypeORM is the QueryBuilder. It allows you to build SQL queries, execute them and automatically get transformed entities. These entities contain the data type like string, integer, etc.

However, SQL injection is not the only type of injection attackers use. Implementing the steps outlined below will safeguard you from all types of injection attacks:

  • Validate each field in your database: This would ensure that the data entered is of the correct type. For example, a field might only accept non-numeric data, i.e., alphabets. If in this case, a user enters any data containing other characters such as numbers or special symbols, it would get rejected by the system.
  • Validate data using the express: validator module in NodeJS. It can be used to validate data such as password length, password with specific character types, length of a phone number, name, etc. There are a few other modules like Hapi/Joi, etc. but express-validator is more widely used.
  • Validate data in the front end before sending it to the backend: This would ensure that the data entered isn't spam. Take an email address for example. You would want that the email entered by the user is formatted as “address@domain.tld” with a ruleset that matches all valid TLDs. This won't stop people from entering fake email addresses but they would be at least formatted correctly.
    Once they have typed in a valid email address, the server validates that address and reports back to the client whether it’s already taken or not. You would also want to ensure that the address does not contain any type of SQL injection like ‘ ; DROP TABLE customers; --. This line can remove the complete list of your customers.

Limit data inflow to the server for protecting against DoS attacks

A denial-of-service (DoS) attack is a malicious attempt to bombard a server with traffic in order to disrupt its normal operations making the website unavailable.

To safeguard against DoS attacks, it is recommended to limit the actual payload and number of requests that a user can submit to your website. This can be done by using Fastify, a web framework for Node.js. You can set a custom length for parameters in parametric routes by using the maxParamlength option.

Data inflow can also be limited by using the built-in 'body-parser' middleware in Express.js. It parses your request and converts it into a format from which you can easily extract relevant information that you may need.

Fastify is much more effective at handling DoS attacks due to its ability to handle nearly twice as many requests as Express.js.

fastify vs express.js.png

Configuring secure headers

JavaScript programming language has allowed developers to create dynamic and interactive websites but also presented new and unique vulnerabilities with cross-site scripting (XSS) being one of the most significant threats.

An XSS attack is a type of injection attack in which malicious client-side scripts are injected into web pages viewed by other users. When the malicious code executes inside a victim's browser, the attacker gains full control of their interaction with the application.

To safeguard your website from XSS attacks, configuring secure headers is crucial as it protects your API. You can use Helmet, a useful Node.js module that helps you secure HTTP headers returned by your Express apps.

Here's an example of code syntax that can be used in backend to make the code secure:

secure headers.png

Hashing passwords

Storing user passwords is an integral part of most websites today. You need to ensure that even if your database gets hacked, you don't expose the actual passwords to hackers.

Hashing is a commonly used technique to store passwords securely. Hashing algorithms take data of any length and return an output of fixed length. When a user creates an account and chooses a password, the password is stored as the generated hash rather than the actual characters. When the user tries to log in, the password entered is hashed again and compared to the hash stored in the database. If both the hashes match, the user is logged in successfully.

The interesting thing about hashing is that it's a unidirectional process meaning that you cannot use a hash and go back to get the original data. However, computers nowadays are high-speed and can calculate thousands of hashes per second. One could eventually crack a hash and arrive at the password by comparing that specific hash to the list of hashes they've generated using combination of letters, numbers, and symbols.

This is the reason why we use the salting process. It simply means adding some unique strings of characters to the password before you hash it. This makes it even more difficult for a hacker to find a match.

hashing and salting.png

You can use Bcrypt's Node.js library to salt and hash passwords before storing them in the database.

Securing Rest API

REST API is an application programming interface that two computer systems use to securely exchange data over the internet. It provides a great deal of flexibility to developers since there is no need for dependent code libraries to access web services.

For securing REST API it is recommended to use tokens that are generated and signed with some data. Developers mostly use JSON Web Tokens (JWT) in Node.js which helps secure API from unauthenticated users as the access is token-based.

When a user signs up or logs in to a website, a JSON Web Token is assigned which will be authenticated at all paths requiring authentication. This ensures that no one else than the validated user has access to the sensitive data.

securing rest api.png

Key takeaways

The tips we've shared in this article should help secure your Node.js backend but as emphasized by Bruce Schneier, securing your website is not a one-time task, rather it is a regular process. You have to regularly find bugs and vulnerabilities and keep fixing them to keep your website secure.

If you're developing a product and strive to provide the best security to your users, you can always seek help from an expert development team. Please feel free to schedule a call with one of our experts to discuss your project.

profileImg

Radial Code

IT Services, Education & Consultancy

Table of contents

Keep reading

Stay up to date with all news & articles.

Email address

Copyright @2024 Radial Code Pvt. Ltd. All rights reserved | RadialCode