The widespread adoption of Node.js continues to grow, making it a prime target for XSS, DoS, and... Tagged with node.

Roberto Umbelino

Figma

Community Picks is a section on daily.dev where our community members share the most interesting and valuable content they've discovered online. From insightful articles to handy tools, every post is a gem curated by our dedicated coomunity. To contribute to Community Picks, you need to have at least 250 reputation points, ensuring that only active and trusted members can share their finds.

Community Picks

Node.js applications are common targets for attacks, including XSS, DoS, and brute force. This guide outlines common security threats and provides best practices to mitigate them. Techniques include using parameterized queries, sanitizing inputs, employing ORMs, implementing rate limiting, and using multi-factor authentication. The importance of using secure headers, securing dependencies, and monitoring/logging activities is also highlighted, along with practical code examples.

Security Best Practices for Your Node.js Application

Understanding Node.js Security Risks and Implementing Security Best Practices

While I appreciate the collection, some of the mentioned practices ought to be language-agnostic.
Shouldn’t we rather set request size limits, security headers and rate limits in our edge servers like nginx / caddy?
Also, a lot of the headers stuff mentioned is just security by obscurity; not a fan here.
Lastly, the article mentions the helmet library and references the header “X-XSS-Protection for mitigating XSS attacks.” as to the helmet README, that’s just a legacy header that is disabled by the library. So, there is no threat protection regarding XSS built into helmet.
Other than that, quite a few good practices are showcased!

After the obvious input sanitization advices, this is litterally the first thing I checked:
<img src="https://media.daily.dev/image/upload/s--y4UnLH9r--/f_auto/v1725442819/ugc/content_5188af81-40e2-49ef-b1e4-d8fedcc0ce96" alt="image">
<img src="https://media.daily.dev/image/upload/s--7fvZabGc--/f_auto/v1725442828/ugc/content_07bdaab1-ed0d-4ab2-851c-0cad33529e39" alt="image">