DEV Community: Arowolo Ebine

Securing Node.js in Production: Expert Practices for Every Developer

Arowolo Ebine — Thu, 21 Mar 2024 07:48:19 +0000

As web development keeps evolving, ensuring the security of your Node.js application becomes critical. This detailed guide steps beyond elementary suggestions, offering a closer look at advanced security techniques for Node.js setups.

Operating Without Root Privileges: A Must-Do Running Node.js or any web server as a root user poses a significant security risk. A single exploit could grant attackers complete control over the server. Instead, configure your environment to run with minimal privileges.

Implementation Insight:

Creating a dedicated user for your Node.js application restricts potential damage in the event of a compromise.

Creating a non-root user for Node.js service

adduser --disabled-login nodejsUser
Switch to this user before starting your application to ensure it runs with limited permissions.

Keeping NPM Libraries Up-to-Date: The First Line of Defense Dependencies in the Node.js ecosystem can be a double-edged sword. While they significantly accelerate development, they can also introduce vulnerabilities.

Implementation Insight:

Use npm audit for a quick vulnerability scan and fix issues automatically with npm audit fix. Integrate Snyk for continuous monitoring and protection.

Updating packages and fixing vulnerabilities

npm update && npm audit fix
Snyk Integration:

Snyk offers a proactive approach to dependency security, scanning for vulnerabilities and providing fixes or workarounds.

Installing Snyk CLI and scanning your project

npm install -g snyk
snyk auth
snyk test
Automate this process in your CI/CD pipeline to ensure continuous security.

Customizing Cookie Names: Obscuring Tech Stack Details Default cookie names can inadvertently disclose your application’s underlying technologies, making it easier for attackers to tailor their exploits.

Implementation Insight:

Change default session cookie names to something unique and unrelated to the technology or framework used.

const express = require('express');
const session = require('express-session')
app.use(session({
// set a custom name for the session cookie
name: 'siteSessionId',
// a secure secret key for session encryption
secret: 'complex_secret_key',
// Additional session configurations...
}));

Implementing Secure HTTP Headers with Helmet: Bolstering Defense Secure HTTP headers are crucial for protecting your app from various types of attacks like XSS, clickjacking, and other cross-site injections.

Implementation Insight:

Helmet.js is a middleware that sets secure HTTP headers out of the box. Customize it to suit your application’s needs.

The helmet() middleware automatically removes unsafe headers and adds new ones, including X-XSS-Protection, X-Content-Type-Options, Strict-Transport-Security, and X-Frame-Options. These enforce best practices and help protect your application from common attacks.

const helmet = require('helmet');

app.use(helmet({
// Custom helmet configuration here
}));
Regularly review your headers’ security using tools like the Mozilla Observatory.

Rate Limiting: Preventing Abuse Rate limiting is essential for protecting your application against brute-force attacks and DDoS by limiting the number of requests a user can make in a given timeframe.

Implementation Insight:

Utilize libraries like express-rate-limit for easy rate-limiting setup.

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // Limit each IP to 100 requests per windowMs
});

app.use(limiter);
Configure thresholds based on normal user behavior and adjust as necessary.

Enforcing Strong Authentication Policies: Beyond Passwords Authentication mechanisms are often targeted by attackers. Implementing robust authentication methods is critical for securing user accounts.

Implementation Insight:

Implement bcrypt for secure password hashing.
Enforce password complexity requirements.
Utilize multi-factor authentication (MFA) to add another layer of security.
const bcrypt = require('bcrypt');
const saltRounds = 10;

// Hashing a password
bcrypt.hash('userPassword', saltRounds, function(err, hash) {
// Store hash in your password database.
});
Educate users on the importance of strong passwords and provide support for MFA.

Minimizing Error Details: Avoiding Information Leakage Verbose error messages can provide attackers with insights into your application’s architecture, facilitating targeted attacks.

Implementation Insight:

Ensure that production environments do not expose stack traces or detailed error messages to users.

app.use((err, req, res, next) => {
res.status(500).json({ error: "Internal Server Error" });
});
Log detailed errors server-side for debugging, keeping user-facing messages generic.

Vigilant Monitoring: Keeping an Eye on Your Application Monitoring is crucial for detecting and responding to security incidents in real time.

Implementation Insight:

Integrate Application Performance Monitoring (APM) tools to track application behavior and identify anomalies indicative of security breaches.

const apmTool = require('apm-tool-of-choice');

apmTool.start({
// Configuration options
});
Choose a tool that suits your stack and provides comprehensive insights into both performance and security aspects.

Embracing HTTPS-Only Policy: Encrypting Data in Transit HTTPS ensures that data between your server and the user is encrypted, protecting it from eavesdropping and man-in-the-middle attacks.

Implementation Insight:

Redirect all HTTP traffic to HTTPS and ensure that cookies are set with the Secure attribute.

app.use((req, res, next) => {
if (!req.secure) {
return res.redirect(https://${req.headers.host}${req.url});
}
next();
});
Use tools like Let’s Encrypt to obtain free SSL/TLS certificates.

Validating User Input: Shielding Against Injection Validating and sanitizing user input is fundamental to preventing injection attacks, such as SQL injection, XSS, and more.

Implementation Insight:

Employ libraries express-validator to define validation rules for user inputs.

const { body, validationResult } = require('express-validator');

app.post('/register', [
body('email').isEmail(),
body('password').isLength({ min: 5 })
], (req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}

// Proceed with registration logic
});
Define strict validation rules based on the expected format of the data.

Leveraging Security Linters Use tools to automatically spot potential security risks in your code.

Short Implementation Guide:

Choose a Linter: ESLint, combined with the eslint-plugin-security, offers a focused approach to identifying security risks in Node.js code.
Setup: Install ESLint and the security plugin.
Configure ESLint: Modify your .eslintrc to use the security plugin.
Scan Your Code: Execute ESLint to uncover and address security concerns.
Integrate with Development Workflow: Embed linting into your regular development practices to catch and rectify issues promptly.
npm install eslint eslint-plugin-security --save-dev
{
"extends": ["eslint:recommended", "plugin:security/recommended"],
"plugins": ["security"]
}
npx eslint .
By integrating security linters into your workflow, following user input validation, you create an additional layer of defense, ensuring your code is not only safe from common injection attacks but also from other potential vulnerabilities identified through static code analysis.

Conclusion
Securing a Node.js application is an ongoing process that involves multiple layers of defense. By implementing the practices outlined in this guide, you can significantly enhance the security posture of your Node.js applications. Stay informed about the latest security threats and continuously update your security practices to protect against evolving risks.

How to Implement a CI/CD pipeline with GitHub Actions in four simple steps In Your Repo.

Arowolo Ebine — Tue, 27 Feb 2024 12:46:04 +0000

How to Implement a CI/CD pipeline with GitHub Actions in your repository.

Continuous Integration / Continuous Delivery (CI/CD) has long been—and continues to be—the domain of DevOps experts. But with the introduction of native CI/CD to GitHub in 2019 via GitHub Actions, it’s easier than ever to bring CI/CD directly into your workflow right from your repository.

If you’re using Git, GitHub, and GitHub Actions to build a CI/CD pipeline, you should have confidence in your code.

I’m going to walk you through exactly how to build your own CI/CD pipeline, right from your repository on GitHub.

A CI pipeline runs when code changes and should make sure all of your changes work with the rest of the code when it’s integrated. It should also compile your code, run tests, and check that it’s functional. A CD pipeline goes one step further and deploys the built code into production.

There are plenty of guided options with pre-built CI workflows you can leverage, per your technology requirements. But you can also build your own CI workflow from scratch if you want to.

To begin building your CI/CD pipeline, open the GitHub Actions tab in your repository’s top navigation bar. You should see a list of CI/CD and workflow automation templates that match the technology of your project.

For your project, you'll leverage a few different CI/CD workflows to test, build, stage, and deploy your code. These include:

A development workflow: This workflow runs through a few different jobs whenever a pull request is opened, edited, synchronized, or reopened. These jobs include setting up Node, installing npm packages and dependencies, running npm test, and cycling through a number of lint jobs too
** A CodeQL Analysis workflow:** This workflow runs a series of CodeQL security tests on our code after we merge it to the main branch to ensure there are no known vulnerabilities. This involves YAML.file. It’s super simple, but effective and something I’d highly recommend.
A deployment workflow: This workflow deploys any UI component changes to our production website.
A release and build workflow: This workflow runs tests and enforces lint after releasing code changes to Docker and building the application. It also deploys the final code to our production environment, cuts a release using a similar structure to the automated release notes, bundles the site into a container and publishes to ghcr. From there, it bumps the version number and tag in the repository.

Building a Secure REST API in Node.js: Best Practices for Web Developers

Arowolo Ebine — Tue, 27 Feb 2024 11:58:16 +0000

What is a REST API?
Before we dive into the nitty-gritty of securing a REST API in Node.js, let’s start by understanding what a REST API is. REST, or Representational State Transfer, is an architectural style for designing networked applications. A REST API is a set of rules and conventions used for building and interacting with web services. It operates based on principles such as statelessness, client-server communication, and the use of uniform resource identifiers (URIs).

Securing Your REST API in Node.js
Step 1: Setting Up Your Development Environment
Before we begin, ensure you have Node.js and npm (Node Package Manager) installed on your system. You can download them from the official Node.js website. Additionally, consider using a version control system like Git to track your code changes.

Step 2: Installing Necessary Packages
To create a secure REST API in Node.js, you will need various packages. Let’s start by installing them using npm:

npm init -y
npm install express mongoose body-parser cors helmet jsonwebtoken
Here’s a brief overview of the packages:

express: A web framework for creating RESTful APIs.

mongoose: An Object Data Modeling (ODM) library for MongoDB.

body-parser: Middleware for parsing request bodies.

cors: Middleware for enabling Cross-Origin Resource Sharing.

helmet: Middleware for adding security headers.

jsonwebtoken: A package for working with JSON Web Tokens (JWT) to implement authentication.

Step 3:** Building the Express Application**
Create a new file called app.js and set up your Express application:

const express = require('express');
const router = express.Router();
// Define your user-related routes here
module.exports = router;
To use these route files in your main app.js, require and use them as follows:

const userRoutes = require('./routes/userRoutes');
app.use('/users', userRoutes);
Implementing Authentication with JSON Web Tokens (JWT)
Securing your REST API involves authenticating users. We’ll use JSON Web Tokens (JWT) to achieve this. Below is a simplified example of how to create and verify JWTs:
`
Create a file called auth.js:

const jwt = require('jsonwebtoken'); const generateToken = (user) => { const secret = 'your-secret-key'; return jwt.sign({ userId: user._id }, secret, { expiresIn: '1h' }); }; const verifyToken = (token) => { const secret = 'your-secret-key'; return jwt.verify(token, secret); }; module.exports = { generateToken, verifyToken };
Protecting Your Routes
Protecting routes ensures that only authorized users can access specific endpoints. To do this, create a middleware for route protection. Here’s an example of protecting a route:

Create a file called authMiddleware.js:

const { verifyToken } = require('../auth'); const requireAuth = (req, res, next) => { const token = req.headers.authorization; if (token) { try { const user = verifyToken(token); req.user = user; next(); } catch (error) { res.status(401).json({ error: 'Invalid token' }); } } else { res.status(401).json({ error: 'Token not provided' }); } }; module.exports = { requireAuth };
Apply this middleware to your protected routes, as shown below:

In the routes/userRoutes.js file:

const { requireAuth } = require('../middleware/authMiddleware');
router.get('/profile', requireAuth, (req, res) => {
// Protected route logic
});`

Error Handling
Proper error handling is essential for providing clear and secure error responses to clients. Create an error handler middleware to handle errors gracefully. Here’s an example of an error handler:

Create a file called errorMiddleware.js:

`const handleErrors = (err, req, res, next) => {
console.error(err);
res.status(500).json({ error: 'Something went wrong' });
};
module.exports = { handleErrors };
Include this error handler in your main app.js:

const { handleErrors } = require('./middleware/errorMiddleware');
app.use(handleErrors);
`

Adding Security Headers
To enhance the security of your REST API, use the helmet middleware to add security headers. These headers help prot`ect your API from common security vulnerabilities. Fortunately, the helmet middleware is already included in your Express setup.

Input Validation
Preventing security vulnerabilities like SQL injection and cross-site scripting (XSS) is critical. Implement input validation using libraries like Joi or express-validator. These libraries help validate incoming data to ensure it's safe.

Enabling HTTPS Encryption
To secure data transmission between your API and clients, always use HTTPS with SSL/TLS certificates. Tools like Let’s Encrypt provide free SSL certificates, making it easier than ever to enable HTTPS.

Conclusion:
Developing a secure REST API in Node.js is a pivotal step towards building web and mobile applications that prioritize data security. By following the steps outlined in this guide, which include setting up your development environment, installing necessary packages, defining routes, implementing authentication, and applying security best practices, you can create a secure REST API that users can trust.

How to use JWT for Authentication in Node.Js

Arowolo Ebine — Thu, 05 Jan 2023 20:05:18 +0000

JWT is a method or standard way of securely transferring or transmitting between two parties as a json token.

The compressed size of the tokens easily make it to be transmit and transfer through an URL (POST), or inside an HTTP header. The information is contained in a digitally signed using a Secret_key usually in an environment.

JWTs are using a secret or private key to sign in.

So, JWTs are mainly used for authentication. When a user login in to an application, the application then assigns and apportions JWT token to that user. Subsequent requests by the user will include the assigned JWT. This token tells the server what routes, services, and resources the user is allowed to access.

The JWT token is mainly for these followings:
It provides simple verification through a JSON Web Token
It is use an authentication service or outsource it
It provides more security and trustworthiness than cookies or sessions

So, let us dive to how to construct it with our application.

first, you need to create a server like this.
create a directory call jwtauth. you can call yours any name.

in it. when opened in the terminal, I preferred VSCode, initialise it, I'm using Express.js as a framework.
npm init -y

and then, you can now install the necessary packages e.g. express, jsonwebtoken, dotenv, etc.

npm install express dotenv jsonwebtoken

so, after the installation of the above.

let us create a folder that would housing JWT as a middleware.
middleware/jwtauth.js

and then, create a controller and route.
controller/user.controller.js
this is for the user to login and when successfully login in, it will generate token.

after you successfully constructed the login logic as you can see the user has 30mins for the jwt token to be expired.

Now, let us create the route file.
routes/user.router.js

Let us try to login using Postman.

What is a CRUD?

Arowolo Ebine — Sat, 27 Aug 2022 22:48:28 +0000

In this my concise article, you will understand the different between CRUD and RESTFul API.

When building an API, we want our model to provide four basic functionalities which are the four major functions
used to interact with database applications in which we refer to as create, read, update, and delete
resources known as CRUD. This CRUD is essential operations needed in building an endpoint API.

RESTful APIs most commonly utilize HTTP requests. Four of the most common HTTP methods in a REST environment are GET, POST,
PUT, and DELETE, which are the methods by which a developer can create a CRUD system.

Create: Use the HTTP POST method to create a resource in a REST environment

Read: Use the GET method to read a resource, retrieving data without altering it

Update: Use the PUT method to update a resource

Delete: Use the DELETE method to remove a resource from the system


NAME        DESCRIPTION                                                                 SQL EQUIVALENT
Create      Adds one or more new entries.                                               Insert
Read        Retrieves entries that match certain criteria (if there are any).           Select
Update      Changes specific fields in existing entries.                                Update
Delete      Entirely removes one or more existing entries.                              Delete

How To Send Email Using NodeMailer in NodeJs

Arowolo Ebine — Fri, 12 Aug 2022 04:04:00 +0000

For you to send an email in nodejs, you will need the NodeMailer. Nodemailer is a module that enable you
to send email without hassle easily through the Simple Mail Transfer Protocol(SMTP) which allows sending
of messages within servers.

Most email systems that sendi mail over the Internet supports and allows SMTP.
So, SMTP is the main Transport that NodeMailer use to send mail.

In this article, you will understand how to send email through NodeMailer using your Gmail Account.

Ok, Now, let us create a project and

npm init -y

after that we will need the following packages, Nodemailer and Express and nodemon. let us install them with this command.

npm i --save nodemailer express

in order not to continue run our server everytime we make changes to our files, we need to install Nodemon to keep our
server running.

npm i --save-dev nodemon

In the root directory, create one js file called index.js

// index.js

const express = require('express'),
const path = require('path'),
const nodeMailer = require('nodemailer');

const app = express();

also, create a file that housing your secret keys called .env known as environment variable

// .env

PORT = 3540
EMAIL = ebiscoui23@gmail.com
PASSWORD = @#R!*9ewbd32~(

   const port = process.env.PORT || 4300


   app.listen(port, function(req, res){
      console.log(`Server is running on localhost:${port}`);
    });

This is just to start our project. another thing we need to do is that we need to modify the start script in a package.json file.

// package.json

"scripts": {
    "start": "nodemon index"
  },

So, when we have to start the node server, we need to write the following command.

npm start

Then if we change the file, it will continue restart the server automatically.

The Uses EJS as a templating engine.
We need to install a templating engine called ejs(embedded javascript) by typing the following command.

npm i --save ejs

Create one directory in the root folder called the public.

// in index.js do these

app.set('view engine', 'ejs');
app.use(express.static('public'));

Now we have setting an ejs templating engine for our application to serving static files from the public directory.

Also, we need to create a directory called Views in the root folder. In it, create a file called index.ejs.

// index.ejs

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
    <title>Nodemailer</title>

  </head>
  <body>
    <div class="container">
      <div class="seyi">
        Sending Email using NodeMailer
      </div>
    </div>

    <div class="container"><br />
      <h1>Send The Email</h1><br />
      <form action="/send-email" method="post">
        <div class="row">
            <label for="to">To:</label>
            <input type="email" class="form-control" name="to">
          </div>

        <div class="row">
            <label for="subject">Subject:</label>
            <input type="text" class="form-control" name="subject">
        </div>

        <div class="row">
              <label for="body">Body:</label>
              <textarea cols="5" rows="5"class="form-control" name="body"></textarea
        </div>

        <div class="row">
            <button type="submit" class="btn btn-success">Send</button>
        </div>
      </form>
    </div>
  </body>
</html>

You can give this to the front guys to style it for you.

After that let come back to index.js to create one route for the home page by typing the following code.

// index.js

app.get('/',  (req, res) {
   res.render('index');
});

You can start the server by the following command.

npm start

It will start at port 3000. Switch to the URL: http://locahost:3540

Now to send email in expressjs
before that, nonetheless, we need to install the body-parser package to get all the field data on the server side.

So, use this command to install it

npm i body-parser --save

Now, let make use this package in our express framework.

// index.js

const bodyParser = require('body-parser');

app.use(bodyParser.urlencoded({extended: true}));
app.use(bodyParser.json());

The next thing is to create a route for the post request sent by form and handle its data.
So, our final server.js file will look like this.

// index.js

const bodyParser = require('body-parser');

const app = express();



    app.set('view engine', 'ejs');
    app.use(express.static('public'));
    app.use(bodyParser.urlencoded({extended: true}));
    app.use(bodyParser.json());

Now, Let us write a function that would use to send the email.

    app.post('/send-email',  (req, res) {
      const transporter = nodeMailer.createTransport({
          host: 'smtp.gmail.com',
          port: 465,
          secure: true,
          auth: {
              user: process.env.EMAIL,
              pass: process.env.PASSWORD,
          }
      });
      const messages = {
          from: process.env.EMAIL,
          to: req.body.to,
          subject: req.body.subject,
          text: req.body.body,
      };

      transporter.sendMail(messages, (error, info) => {
          if (error) {
              return console.log(error);
          }
          console.log('Message %s sent: %s', info.messageId, info.response);
              res.render('index');
          });
      });

Now, let me show you how to generate PASSWORD(Token) from Gmail account. Please, don't use your normal password but you need to login
with normal password to generate the token.

When you login into your Gmail account. Type APP PASS in the search bar. it will pop up where you will generate the token.
Here, I have shown you how to send the email via Gmail. You can use any other host. First, you need to grab their API keys.

Thanks for reading

How To Resolve Git Conflicts{Merge}

Arowolo Ebine — Sat, 06 Aug 2022 08:38:00 +0000

Git is one of the most common source-control systems that enable software developers in all industries,
enabling multiple team members or colleagues to work concurrently and simultaneously on projects. This is known as Version control systems
which are all about managing contributions between multiple distributed developers.

So,since many users are simultaneously working from different places on the same file, however, this may end up with a merge conflict. This article explains the basics of Git merge
conflicts and this is where Git merge command is involve to resolving a Git merge conflict.

I would like to show the common git commands used to resolve merge conflict.

Basic Git Commands are:

git init
git add 
git commit
git status
git merge
git push
git pull
git reset
git checkout
git diff

Conflicts in Git environment generally arise when two people have changed the same lines in a file, or if one developer deleted a file while another developer was modifying it. In these cases, Git cannot automatically determine what is correct.

So, this Conflict is only made known to the team that conducting the merge, the rest of the team is unaware of the conflict.
Git will mark the file as being conflicted and halt the merging process. It is then the developers' responsibility
to resolve the conflict.

Categories of merge conflicts
When contemplate of resolve merge conflict, know that there are two stages involved at a separate points.
When starting and during a merge process.

Starting the Merge Process:
In this case, if there are changes in the PWD (working directory) in the current project, merging won’t start.
So, conflicts happen due to pending changes that need to be stabilized using the Git commands.
During the Merge Process:
In this stage failure indicates that there is a conflict between the local branch and the remote branch during the merge process.
In this case, Git resolves as much as possible, but there are things that have to be resolved manually in the conflicted files.

Now, let us look at how to resolve it.

How to Resolve Merge Conflicts in Git?
These are a few steps needed to resolve merge conflicts in Git.

Open the conflicted file and make any necessary changes.
After edit and make the necessary change in the file, we can make use of the git add. a command to stage the new merged content.
The final step is to create a new commit with the use of git commit command.
Then, Git will create a new merge commit to complete the merge.

Let us now look at the Git commands that perhaps we may use to resolving the conflict.

1. git log --merge 
This command helps to populate the list of commits that are causing the conflict.

2. git diff 
This helps to identify the differences between the states repositories or files.

3. git checkout 
It is used to undo the changes made to the file, or for changing branches.

4. git reset --mixed 
It also is used to undo changes to the working directory and current folder

5. git merge --abort
This command helps in exiting the merge process and returning back to the state before the merging began.

6. git reset
It is used at the time of merge conflict to reset the conflicted files to their original state.

THE BEST TWO WAYS TO SECURED YOUR WEB APP

Arowolo Ebine — Wed, 03 Aug 2022 07:37:00 +0000

THE BEST TWO WAYS TO SECURED YOUR WEB APP:

Validate User Inputs:

Accordingly, Injection-based attacks can come in so many ways; XSS, SQL injections, host header injection, and OS command injection are a few examples of these attacks.

Therefore, Injection-based attacks have over the years made their way into the OWASP (Open Web Application Security Project) and SANS Top 25 CWE (Common Weakness Enumeration) many times.

So, in the web development, we need to validate all inputs before the application processes the data to mitigate injection-based attacks.

E.g., the phone number field, Password field, Name field, they must only accept an acceptable format with specific numeric and special characters.

Managing Application Secrets:
This is another crucial way to securitized the web app secret credentials by managing sensitive secrets such as database connection strings, API keys, and credentials is mandatory in any application.
Therefore, we should stop keeping these secrets in the codebase at all costs and follow standard rules and methods to store them.

for example, You can use environment variables within the operating system to store this sensitive information, and we can use Node.js to call these environment variables.

However, there are instances where the application would require more than one variable instantiated. At this juncture, the only best way to manage secrets is to use the dotenv package.

so, you can easily install it using npm or Yarn as follows:

NPM

npm install dotenv

Yarn

yarn add dotenv

Then, create a .env file at the project root and define all the secrets in that file.

NODE_ENV= develpment,
MONGODB_URL = "mongodb_url:uerbsf@kgeyfdop_jhf"
PORT = 3000
USERNAME=secret123
PASSWORD=secret123@

Finally, you can require and use these secrets in the application like below:

require('dotenv').config();

mongoose.connect({
host: process.env.PORT,
username: process.env.MONGODB_URL,
password: process.env.PASSWORD
})

Most importantly, make sure to include .env files in the .gitignore file to prevent them from being pushed to the Git repository.

const animals = ['lion', 'goat', 'frog',]; console.log(animals)

Arowolo Ebine — Wed, 06 Jul 2022 21:01:20 +0000