Photo by Luca Bravo on Unsplash
Tiny but Mighty: Minor NPM Packages That Beef Up Your Node App Security
Minor Packages, Major Security: Essential Node.js Security Packages You Should Know
Security is an important aspect of any software system, and Node.js is no exception. While major NPM packages like Express, React, and Lodash get a lot of attention, many smaller but critical packages play an important role in securing Node.js applications. In this post, we'll explore a few of these minor but crucial Node security packages.
Helmet
Helmet is a collection of 13 smaller middleware functions that help set security-related HTTP headers. These headers help prevent attacks like XSS (cross-site scripting), framebusting, and MIME-type sniffing. To use a Helmet, you simply install it:
npm install helmet
// or yarn add helmet
Then use the various middleware functions in your Express app:
const helmet = require('helmet')
app.use(helmet.frameguard()) // Prevents clickjacking
app.use(helmet.xssFilter()) // Prevents XSS attacks
app.use(helmet.noSniff()) // Prevents MIME type sniffing
Helmet is a very easy way to significantly improve the security of your Node/Express app with little overhead or configuration.
Rate limiting
To prevent brute force login attacks or DDoS attacks, it's important to implement rate limiting. There are a few good options for this in Node:
express-rate-limit - Simple rate-limiting middleware for Express. You define the window size and max number of requests, and requests over that limit get a 429 response.
const rateLimit = require("express-rate-limit"); app.use("/login", rateLimit({ windowMs: 15 * 60 * 1000, max: 10 })); // 15 minutes, 10 login attempts
rate-limit - More advanced rate-limiting library. Lets you do things like whitelisting certain IP addresses, using different rate limits based on IP or URL, etc.
const rateLimit = require("rate-limit"); const limiter = rateLimit({ windowMs: 60 * 60 * 1000, // 1 hour window max: 100, // max 100 requests message: "Too many requests" }); app.use(limiter);
slowDown - This lets you add artificial delays / throttling to API endpoints to slow down certain requests. This can also help prevent brute force attacks.
const slowDown = require("express-slow-down"); app.use("/login", slowDown({windowMs: 15 * 60 * 1000, delayAfter: 10, delayMs: 500})); // 15 minute window, throttle after 10 requests, add 500ms delay
Any of these packages can help significantly strengthen the security of an Express API by preventing the ability to rapidly fire requests.
CORS
CORS (Cross-Origin Resource Sharing) refers to the ability of a frontend UI (often a browser) to make requests to an API hosted on a different origin (domain/port/protocol). By default, browsers prohibit CORS requests for security reasons. To enable CORS, we need to use middleware in our Express app.
The cors package is the most popular CORS middleware for Express. You install it with npm:
npm install cors
// or yarn add cors
Then enable it in your app:
const cors = require('cors')
app.use(cors())
This will allow CORS requests from all origins. You can also configure it to be more restrictive:
app.use(cors({
origin: 'http://example.com' // allow only requests from example.com
}))
Or use a whitelist:
const whitelist = ['http://example1.com', 'http://example2.com']
app.use(cors({
origin: (origin, callback) => {
if (whitelist.indexOf(origin) !== -1) {
callback(null, true)
} else {
callback(new Error('Not allowed by CORS'))
}
}
}))
Enabling CORS is important for the security of your API - you don't want other sites to be able to make requests to your API without explicitly enabling them. The cors package makes properly configuring CORS in Express seamless.
XSS Protection
Cross-Site Scripting (XSS) is a common attack in web applications where malicious scripts are injected into vulnerable pages, usually by targeting input fields that are not properly sanitized. To help mitigate XSS risks in Express, you can use packages like:
xss-clean - Middleware to sanitize user input that may contain XSS. It uses a whitelist approach to filter out anything that's not explicitly allowed.
const xss = require('xss-clean'); app.use(xss());
express-xss-sanitizer - Similar to xss-clean but uses a blacklist approach, removing known malicious input.
const sanitizer = require('express-xss-sanitizer'); app.use(sanitizer());
Using either of these packages is an easy way to add XSS protection to your Express app with minimal overhead. XSS attacks are one of the most common security issues with web applications, so sanitizing input is critical.
In summary, while major Express middleware libraries get most of the attention, minor packages focused on security play an equally important role in building robust, secure Node applications. Happy Hacking!