5 tips to make your Nodejs backend secure
MyFitnessPal, a popular diet and fitness app owned by Under Armour was hacked in March 2018 affecting 150 million user accounts. Hackers were able to access the backend database and retrieved usernames, email addresses, and hashed passwords. One year after the breach, the data was put for sale on the dark web.
By implementing the five tips we share in this article, you would be able to level up the security of your Node.js backend. Let's get started.
Use TypeORM to safeguard against SQLi attacks
SQL injections (or SQLi) attacks have been around for almost two decades and continue to be the most popular choice for attackers to break into Web applications. According to a report by Akami, SQL injection (SQLi) now represents nearly two-thirds (65.1%) of all Web application attacks.
During an SQL injection attack, an attacker supplies malicious SQL queries into entry fields like website forms which may be executed by the database giving access to sensitive information.
For instance, DVWA is a vulnerable web application developed for testing purposes using PHP and MySQL that allows users to extract information from the database using SQL injection.
In DVWA, we can see a text field where it asks for the User ID. If we enter the number 1 and click submit, the query gets executed by the database and returns the user's first name and surname with ID=1.
To safeguard your website from SQL injection attacks, it is recommended to use TypeORM in your backend for working with databases. One of the most powerful features of TypeORM is the QueryBuilder. It allows you to build SQL queries, execute them and automatically get transformed entities. These entities contain the data type like string, integer, etc.
However, SQL injection is not the only type of injection attackers use. Implementing the steps outlined below will safeguard you from all types of injection attacks:
- Validate each field in your database: This would ensure that the data entered is of the correct type. For example, a field might only accept non-numeric data, i.e., alphabets. If in this case, a user enters any data containing other characters such as numbers or special symbols, it would get rejected by the system.
- Validate data using the express: validator module in NodeJS. It can be used to validate data such as password length, password with specific character types, length of a phone number, name, etc. There are a few other modules like Hapi/Joi, etc. but express-validator is more widely used.
- Validate data in the front end before sending it to the backend: This would ensure that the data entered isn't spam. Take an email address for example. You would want that the email entered by the user is formatted as “firstname.lastname@example.org” with a ruleset that matches all valid TLDs. This won't stop people from entering fake email addresses but they would be at least formatted correctly.
Once they have typed in a valid email address, the server validates that address and reports back to the client whether it’s already taken or not. You would also want to ensure that the address does not contain any type of SQL injection like ‘ ; DROP TABLE customers; --. This line can remove the complete list of your customers.
Limit data inflow to the server for protecting against DoS attacks
A denial-of-service (DoS) attack is a malicious attempt to bombard a server with traffic in order to disrupt its normal operations making the website unavailable.
Fastify is much more effective at handling DoS attacks due to its ability to handle nearly twice as many requests as Express.js.