Securing Your Node.js 5 Web App
Understanding the security risks that threatens a Node.js web application is crucial to its success. This course aims at providing functional mitigations to apply to your application against those vulnerabilities.
What you'll learn
Since its creation in 2009, Node.js has seen exponential growth in its community of users and the applications they are building. With the drive towards a connected society, the need for web applications has never been greater. Yet, despite the push to connect the world as we know it, businesses of all sizes fall victim to data breaches everyday. The security risks that a Node.js based web application face are no different than any other web application. This course, Securing Your Node.js Web App, will empower you with both the understanding of various web based security risks and how to apply the proper mitigation in your Node.js web application. First, you'll learn about implementing proper authentication and session management. Next, you'll explore how to protect your MongoDB database from injection attacks and how to handle untrusted data - a key player in many of the risks you'll look at. Finally, you'll wrap up by learning how to control application and user authorization to key access areas and the benefits of serving our application over HTTPS. By the end of this course, you'll be on your way to building a significantly more secure Node.js web application.
Table of contents
- Overview 2m
- The Problem with Password Storage 6m
- Introduction to Bcrypt 2m
- Implementing Bcrypt 10m
- Password Strength, the Missing Ingredient 7m
- Enforcing Validation Rules with Express-validator 8m
- Enforcing Validation at the Database level with Mongoose 2m
- Brute-force Safeguards 1m
- Brute-force Mitigation with Delayed Responses 3m
- Tracking Failed Logins 8m
- Mitigating Parallel Brute-force Attacks 3m
- Transport Layer Security 3m
- Summary 1m
- Overview 3m
- The Problem with Session ID's 1m
- Protecting the Session ID 8m
- Time-limited Sessions 5m
- Session Fixation 1m
- Regenerating Sessions on Authentication 2m
- The Problem with Session Cookies 3m
- Protecting Session Cookies with the HTTPOnly Flag 3m
- Using Transport Layer Security to Secure Session Cookies 2m
- The Problem with Mixed Content 2m
- Protecting Session Cookies with the Secure Flag 3m
- Re-authorization on Key Access Areas 1m
- Summary 1m
- Overview 2m
- Principle of Least Privilege 4m
- The Problem with Database Access 2m
- Overview of MongoDB Access Control 3m
- Implementing MongoDB Access Control 6m
- Role Based Access Control 2m
- Function Level Controls (with RBAC) 10m
- Server-side Function Level Control Failure 3m
- Access Control Misconfiguration 4m
- Summary 1m
- Overview 2m
- Demo: Cross-site Scripting 4m
- Identifying XSS with Netsparker 4m
- Anatomy of Cross-site Scripting Attack 4m
- Reflective Cross-site Scripting 2m
- Persistent Cross-site Scripting 5m
- DOM Based Cross-site Scripting 2m
- Introduction to Content Security Policies 4m
- Implementing Content Security Policies 2m
- Enabling Cross-site Scripting Protection Filter 5m
- Cookies Protection 8m
- Escaping Untrusted Data 8m
- Sanitizing and Validation of Untrusted Data 5m
- Summary 2m
About the author
Max McCarty is a software developer with a passion for breathing life into big ideas. He is the founder and owner of LockMeDown.com and host of the popular Lock Me Down podcast. As software engineer, Max’s focus is on software security, and strongly believes in empowering the everyday developer with the information to write more secure software. When he’s not building new applications or writing about web security, you’ll find Max burning calories with his kids and spending time with his wonderf... more