“Security is not a product, but a process.” - Bruce Schneier, American Cryptographer

MyFitnessPal, a popular diet and fitness app owned by Under Armour was hacked in March 2018 affecting 150 million user accounts. Hackers were able to access the backend database and retrieved usernames, email addresses, and hashed passwords. One year after the breach, the data was put for sale on the dark web.

By implementing the five tips we share in this article, you would be able to level up the security of your Node.js backend. Let's get started.

During an SQL injection attack, an attacker supplies malicious SQL queries into entry fields like website forms which may be executed by the database giving access to sensitive information.

For instance, DVWA is a vulnerable web application developed for testing purposes using PHP and MySQL that allows users to extract information from the database using SQL injection.

In DVWA, we can see a text field where it asks for the User ID. If we enter the number 1 and click submit, the query gets executed by the database and returns the user's first name and surname with ID=1.

However, SQL injection is not the only type of injection attackers use. Implementing the steps outlined below will safeguard you from all types of injection attacks:

• Validate each field in your database. This would ensure that the data entered is of the correct type. For example, a field might only accept non-numeric data, i.e., alphabets. If in this case, a user enters any data containing other characters such as numbers or special symbols, it would get rejected by the system.
   
• Validate data using the express-validator module in NodeJS. It can be used to validate data such as password length, password with specific character types, length of a phone number, name, etc. There are a few other modules like Hapi/Joi, etc. but express-validator is more widely used.
   
• Validate data in the front end before sending it to the backend. This would ensure that the data entered isn't spam. Take an email address for example. You would want that the email entered by the user is formatted as “address@domain.tld” with a ruleset that matches all valid TLDs. This won't stop people from entering fake email addresses but they would be at least formatted correctly.
  
  Once they have typed in a valid email address, the server validates that address and reports back to the client whether it’s already taken or not. You would also want to ensure that the address does not contain any type of SQL injection like ‘ ; DROP TABLE customers; --. This line can remove the complete list of your customers.

A denial-of-service (DoS) attack is a malicious attempt to bombard a server with traffic in order to disrupt its normal operations making the website unavailable.

Fastify is much more effective at handling DoS attacks due to its ability to handle nearly twice as many requests as Express.js.

JavaScript programming language has allowed developers to create dynamic and interactive websites but also presented new and unique vulnerabilities with cross-site scripting (XSS) being one of the most significant threats.

An XSS attack is a type of injection attack in which malicious client-side scripts are injected into web pages viewed by other users. When the malicious code executes inside a victim's browser, the attacker gains full control of their interaction with the application.

Here's an example of code syntax that can be used in backend to make the code secure:

Storing user passwords is an integral part of most websites today. You need to ensure that even if your database gets hacked, you don't expose the actual passwords to hackers.

Hashing is a commonly used technique to store passwords securely. Hashing algorithms take data of any length and return an output of fixed length. When a user creates an account and chooses a password, the password is stored as the generated hash rather than the actual characters. When the user tries to log in, the password entered is hashed again and compared to the hash stored in the database. If both the hashes match, the user is logged in successfully.

The interesting thing about hashing is that it's a unidirectional process meaning that you cannot use a hash and go back to get the original data. However, computers nowadays are high-speed and can calculate thousands of hashes per second. One could eventually crack a hash and arrive at the password by comparing that specific hash to the list of hashes they've generated using combination of letters, numbers, and symbols.

This is the reason why we use the salting process. It simply means adding some unique strings of characters to the password before you hash it. This makes it even more difficult for a hacker to find a match.

REST API is an application programming interface that two computer systems use to securely exchange data over the internet. It provides a great deal of flexibility to developers since there is no need for dependent code libraries to access web services.

For securing REST API it is recommended to use tokens that are generated and signed with some data. Developers mostly use JSON Web Tokens (JWT) in Node.js which helps secure API from unauthenticated users as the access is token-based.

When a user signs up or logs in to a website, a JSON Web Token is assigned which will be authenticated at all paths requiring authentication. This ensures that no one else than the validated user has access to the sensitive data.

The tips we've shared in this article should help secure your Node.js backend but as emphasized by Bruce Schneier, securing your website is not a one-time task, rather it is a regular process. You have to regularly find bugs and vulnerabilities and keep fixing them to keep your website secure.