Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Node Security 
By 
Rejah Rehim
Know what you require (); 
NPM has ~75000 modules
Use good Security Defaults 
Node is a set of barebons modules 
Express is a barebons framework
Lusca 
App security module for express 
var express = require('express'), 
app = express(), 
lusca = require('lusca');
With Express Middleware 
● app.use(lusca.csrf()); 
● app.use(lusca.csp({ /* ... */})); 
● app.use(lusca.xframe('SAMEORIGIN...
CSRF 
Trick victim's browser into making malicious requests
Lusca.csrf() 
Uses Token Synchronizer pattern 
1) Create a random token on serverside 
2) Add token to res.local 
3) Dump ...
CSP 
● Content Security Policy 
● Basically a white listing
Lusca.csp() 
app.use(lusca.csp({ 
policy: { 
'default-src': 'none', 
'script-src': ''self' https://apis.google.com' 
}, 
r...
Lusca.hsts() 
● Ensures HTTPS traffic 
● Prevent MITM
Lusca.xframe() 
● Prevent Others from loading your app in Iframe
HTTPOnly Cookies 
● Prevent Session Hijacking 
app.use(express.session({ 
secret: 'My super session secret', 
cookie: { 
h...
Eval is evil
Node Security Project 
● Audit all modules in NPM 
● Contribute patches 
● Educate others
Scan For vulnerable modules 
npm install grunt-nsp-package --save-dev 
grunt validate-package
Update your dependency
Clientside modules
Escape everithing 
● Not just user inputs Backend bata as well
Underscore templates 
<% %> - to execute some code 
<%= %> - to print some value in template 
<%- %> - to print some value...
Know your templating library 
● Use it properly
Update your front-end dependencies 
● Retire.js 
npm install grunt-retire --save-dev 
grunt retire
Let's Recap 
● Know what you're require()'ing 
● Node is stil a Javascript 
● Use good security defaults 
● Update your de...
Thanks
Node.JS security
Node.JS security
Node.JS security
Node.JS security
Prochain SlideShare
Chargement dans…5
×

Node.JS security

1 651 vues

Publié le

Security Tips to follow while using Node.JS

Publié dans : Technologie
  • Soyez le premier à commenter

Node.JS security

  1. 1. Node Security By Rejah Rehim
  2. 2. Know what you require (); NPM has ~75000 modules
  3. 3. Use good Security Defaults Node is a set of barebons modules Express is a barebons framework
  4. 4. Lusca App security module for express var express = require('express'), app = express(), lusca = require('lusca');
  5. 5. With Express Middleware ● app.use(lusca.csrf()); ● app.use(lusca.csp({ /* ... */})); ● app.use(lusca.xframe('SAMEORIGIN')); ● app.use(lusca.p3p('ABCDEF')); ● app.use(lusca.hsts({ maxAge: 31536000 })); ● app.use(lusca.xssProtection(true));
  6. 6. CSRF Trick victim's browser into making malicious requests
  7. 7. Lusca.csrf() Uses Token Synchronizer pattern 1) Create a random token on serverside 2) Add token to res.local 3) Dump that token in app page 4) Sends with every PUT DELETE POST request 5) Verify token is correct, Else return 403
  8. 8. CSP ● Content Security Policy ● Basically a white listing
  9. 9. Lusca.csp() app.use(lusca.csp({ policy: { 'default-src': 'none', 'script-src': ''self' https://apis.google.com' }, reportUri: '/report-violation' }));
  10. 10. Lusca.hsts() ● Ensures HTTPS traffic ● Prevent MITM
  11. 11. Lusca.xframe() ● Prevent Others from loading your app in Iframe
  12. 12. HTTPOnly Cookies ● Prevent Session Hijacking app.use(express.session({ secret: 'My super session secret', cookie: { httpOnly: true, secure: true } }));
  13. 13. Eval is evil
  14. 14. Node Security Project ● Audit all modules in NPM ● Contribute patches ● Educate others
  15. 15. Scan For vulnerable modules npm install grunt-nsp-package --save-dev grunt validate-package
  16. 16. Update your dependency
  17. 17. Clientside modules
  18. 18. Escape everithing ● Not just user inputs Backend bata as well
  19. 19. Underscore templates <% %> - to execute some code <%= %> - to print some value in template <%- %> - to print some values with HTML escaped
  20. 20. Know your templating library ● Use it properly
  21. 21. Update your front-end dependencies ● Retire.js npm install grunt-retire --save-dev grunt retire
  22. 22. Let's Recap ● Know what you're require()'ing ● Node is stil a Javascript ● Use good security defaults ● Update your dependencies – use automation
  23. 23. Thanks

×