Securing Your Node.

js App
By default, Node.js is fairly secure by itself. Although, there are definitely things you have to
watch out for. If your Node web-app starts to get more and more popular, for example, you'll
need to be thinking more and more about security to ensure that you're keeping your users'
data safe.

After seeing some questions about Node.js security around the web in the last few weeks, I
figured it would be helpful to write up a short guide on what you can do to secure your apps.

Many, if not all, of the suggestions here are really easy to follow and implement, and are mostly
specific to Node itself or its modules. So I won't be covering things like a encryption or user
authentication, which is a bit out of scope of this article. Many of the tips here will be focused
on Node web frameworks, since those are typically the most vulnerable to attack.

Don't Run Code with Sudo

This happens way more than you think, and it's dangerous. Since it gives root permissions,
running code with sudo can make annoying problems go away, like writing to a directory that
the user doesn't own. But that's just the easy way out, and these shortcuts bring up a mess of
other problems you shouldn't ignore.

Instead, find the root cause of the problem and figure out a way to get around it without
compromising the whole system.

So, for example, if you need to open port 80 for a web service but can't since you're not running
under root, you should instead use a proxy like Nginx to forward the requests from port 80 to
whatever other port your service is actually running on.

If you run under root and your application is taken over by attackers, they can then do whatever
they want with your system and your data. This is the worst-case scenario that you're trying to
protect yourself from.

Avoid eval at all Costs

Okay, I'll admit it, at times it can be tempting to make your code more dynamic by letting it
execute arbitrary JavaScript using eval, but believe me, this is a bad idea.
Some people even try to use it when they get lazy with parsing user input. After all, the V8
JavaScript engine is really good at parsing things like simple math operations, so it would be
tempting to use that to your advantage:

var result = eval('(13 + (2 * 23.249) / 0.981)');

// result = 60.398572884811415

There are just too many ways this can come back to bite you. Unless you're an expert and know
how to protect yourself from all of the different kinds of malicious JavaScript code, just steer
clear of this.

Here is a simple example of the exploit:

var userInput = req.body.userInput; // User entered 'process.exit()'

var answer = eval(userInput); // App quits here

Running this code will shut down your app, causing a denial of service (DOS) to your users.

Add/Remove HTTP Headers

There are quite a few HTTP headers out there that can both help you and hurt you. Using the
right ones in the right way is the tricky part.

Express, by default, adds the X-Powered-By: Express header, which really does nothing but tell
potential attackers what web framework you're using, and therefore how to exploit it based on
publicly-known vulnerabilities. The more information they have about your technology stack,
the more ways they'll be able to attack it.

That's where helmet comes in to play. Helmet is a small module for Node that helps secure
Express/Connect apps by adding/removing various HTTP headers.

You can do anything from enabling HSTS to preventing click-jacking attacks. These are things
that take little to no work on your part, but they can make a world of difference. So if you're
building an Express app, this should be a no-brainer (and really, for any web service you should
do this).
Use Scanning Utilities like Retire.js

Not all programmers are security experts, and while you should do your best to stay up-to-date
on common exploits like XSS or SQL injection, it's tough to know them all.

To make up for this, you should try using tools like Retire.js, which scans your Node app for
dependencies that contain vulnerabilities.