25
Let’s talk Security Securing Your Node.js App Dheeraj Joshi @dheerajhere

Securing your Node.js App

Embed Size (px)

Citation preview

Page 1: Securing your  Node.js App

Let’s talk SecuritySecuring Your Node.js App

Dheeraj Joshi@dheerajhere

Page 2: Securing your  Node.js App

● Front-End @

● Open Source (medium-cli)

● Ambidextrous TT Player

About Me

Page 4: Securing your  Node.js App

Agenda

● Why ?

● Cross-site Scripting (XSS)

● Cross-site Request Forgery (CSRF)

● Content Security Policy (CSP)

● Useful Headers

● Other Best Practices

● Demo

Page 5: Securing your  Node.js App

Why should Startups Care about Security?

Startups & SMEs are known to cut corners. One of the first things they cut is ‘Security'.

Page 6: Securing your  Node.js App
Page 7: Securing your  Node.js App

Github Reused password attack

Page 8: Securing your  Node.js App

HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS

The Shutdown

Page 9: Securing your  Node.js App

CROSS SITE SCRIPTING - XSS

● XSS attack users

● “Javascript Injection”

● Exploits can be bad,

really bad..

Page 10: Securing your  Node.js App

What is XSS?

Typical Reflected XSS

Page 11: Securing your  Node.js App

Stored XSS

Page 12: Securing your  Node.js App

Protect Yourself

● Input Validation

● Ensure that outputs are

HTML encoded

● Don’t reinvent the wheel

(Use proven sanitizers)

Page 13: Securing your  Node.js App

Content Security Policy (CSP)

Page 14: Securing your  Node.js App

Add Content Security Policy header

Page 15: Securing your  Node.js App

● Add HTTPOnly, Secure attributes on Session Cookie

Page 16: Securing your  Node.js App

CROSS-SITE REQUESTFORGERY (CSRF)

Page 17: Securing your  Node.js App

Because the attack is carried out

by the victim, CSRF can bypass:

● HTTP Auth

● Session-based auth

● Firewalls

CSRF Attacks

Page 18: Securing your  Node.js App

Prevention

Page 19: Securing your  Node.js App

● Only accepting POST requests

● Referer Protection

● Multi-Step Transactions

● URL Rewriting

● application/json

“CSRF Myths”Preventions that Won’t work

Page 20: Securing your  Node.js App

XSS + CSRF = ? (Demo)

Page 21: Securing your  Node.js App

List of useful HTTP headers

● Strict-Transport-Security:

max-age=16070400; includeSubDomains

● X-Frame-Options: deny

● X-XSS-Protection: 1; mode=block

Page 22: Securing your  Node.js App

Prevent Information Disclosure

Hide X-Powered-By

Or try this ;)

Page 23: Securing your  Node.js App

How to improve ?

● SECURITY.md

● Security Middleware

(helmet.js, kraken.js )

● OWASP Node Goat

Project

● NSP, Snyk

Page 24: Securing your  Node.js App

Questions ?