“Security is not a product, but a process.” - Bruce Schneier, American Cryptographer
MyFitnessPal, a popular diet and fitness app owned by Under Armour was hacked in March 2018 affecting 150 million user accounts. Hackers were able to access the backend database and retrieved usernames, email addresses, and hashed passwords. One year after the breach, the data was put for sale on the dark web.
By implementing the five tips we share in this article, you would be able to level up the security of your Node.js backend. Let's get started.
During an SQL injection attack, an attacker supplies malicious SQL queries into entry fields like website forms which may be executed by the database giving access to sensitive information.
For instance, DVWA is a vulnerable web application developed for testing purposes using PHP and MySQL that allows users to extract information from the database using SQL injection.
In DVWA, we can see a text field where it asks for the User ID. If we enter the number 1 and click submit, the query gets executed by the database and returns the user's first name and surname with ID=1.
However, SQL injection is not the only type of injection attackers use. Implementing the steps outlined below will safeguard you from all types of injection attacks:
A denial-of-service (DoS) attack is a malicious attempt to bombard a server with traffic in order to disrupt its normal operations making the website unavailable.
Fastify is much more effective at handling DoS attacks due to its ability to handle nearly twice as many requests as Express.js.
JavaScript programming language has allowed developers to create dynamic and interactive websites but also presented new and unique vulnerabilities with cross-site scripting (XSS) being one of the most significant threats.
An XSS attack is a type of injection attack in which malicious client-side scripts are injected into web pages viewed by other users. When the malicious code executes inside a victim's browser, the attacker gains full control of their interaction with the application.
Here's an example of code syntax that can be used in backend to make the code secure:
Storing user passwords is an integral part of most websites today. You need to ensure that even if your database gets hacked, you don't expose the actual passwords to hackers.
Hashing is a commonly used technique to store passwords securely. Hashing algorithms take data of any length and return an output of fixed length. When a user creates an account and chooses a password, the password is stored as the generated hash rather than the actual characters. When the user tries to log in, the password entered is hashed again and compared to the hash stored in the database. If both the hashes match, the user is logged in successfully.
The interesting thing about hashing is that it's a unidirectional process meaning that you cannot use a hash and go back to get the original data. However, computers nowadays are high-speed and can calculate thousands of hashes per second. One could eventually crack a hash and arrive at the password by comparing that specific hash to the list of hashes they've generated using combination of letters, numbers, and symbols.
This is the reason why we use the salting process. It simply means adding some unique strings of characters to the password before you hash it. This makes it even more difficult for a hacker to find a match.
REST API is an application programming interface that two computer systems use to securely exchange data over the internet. It provides a great deal of flexibility to developers since there is no need for dependent code libraries to access web services.
For securing REST API it is recommended to use tokens that are generated and signed with some data. Developers mostly use JSON Web Tokens (JWT) in Node.js which helps secure API from unauthenticated users as the access is token-based.
When a user signs up or logs in to a website, a JSON Web Token is assigned which will be authenticated at all paths requiring authentication. This ensures that no one else than the validated user has access to the sensitive data.
The tips we've shared in this article should help secure your Node.js backend but as emphasized by Bruce Schneier, securing your website is not a one-time task, rather it is a regular process. You have to regularly find bugs and vulnerabilities and keep fixing them to keep your website secure.
Keep reading
Radial Code Inc.
Sep 21, 22
Radial Code Inc.
Aug 12, 22
Radial Code Inc.
Sep 05, 22
Copyright @2023 Radial Code Pvt. Ltd. All rights reserved | RadialCode
Radial Code Inc.
IT Services, Education & Consultancy
Table of contents
Introduction
1. Use TypeORM to safeguard against SQLi attacks
2. Limit data inflow to the server for protecting against DoS attacks
3. Configuring secure headers
4. Hashing passwords
5. Securing Rest API
Key takeaways