Introduction
API security means protecting the integrity of the APIs we use or create. Nowadays, most companies use APIs to connect services and transfer data. If the API is compromised, exposed, or hacked, it will lead to a data breach. Therefore, based on the information transferred, we need to consider the level of API security required to implement in the application. In this article, I will introduce some useful npm packages that help us avoid common security problems.
1. Using a Helmet
Helmet.js It is a Node.js module used to protect HTTP headers. This module is used in Express applications and prevents attacks such as Cross-Site Scripting (XSS) and Clickjacking by setting various HTTP headers.
Why is protecting HTTP headers important?
Most developers ignore HTTP headers. These headers can reveal sensitive information about the server, software version, and even the structure of the application. That's why using tools like Helmet.js is so important.
Important Helmet.js modules
- X-Frame-Options: Prevent Clickjacking by preventing pages from being displayed in iFrames.
- Content-Security-Policy: Set security policy to prevent injection of unauthorized scripts.
- Cache-Control: Disable client-side caching for sensitive information.
- Expect-CT: Ensuring SSL certificate transparency.
- X-Powered-By: Remove headers that display server software information.
- X-XSS-Protection: Enable protection against XSS attacks in browsers.
- Strict Transport Security: Forcing the browser to use HTTPS.
To get started with Helmet.js, simply install this module and use it in your Express application.
const helmet = require('helmet'); const express = require('express'); const app = express(); app.use(helmet());
2. Safe use of cookies
To ensure that cookies do not cause application vulnerabilities, stop using the default name for session cookies and set cookie security options appropriately.
Common cookie problems
If cookies are not set correctly, they can become easy targets for cross-site scripting attacks or information disclosure. Using precise cookie settings will mitigate these risks.
Recommended settings
- secure: Ensure cookies are sent only over HTTPS.
- httpOnly: Restricting access of cookies to client-side JavaScript.
- domain: Specify a valid domain for cookies.
- path: Limit the paths where cookies are valid.
- expires: Set an expiration date for persistent cookies.
const session = require('cookie-session');
const express = require('express');
const app = express();
const expiryDate = new Date(Date.now() + 60 * 60 * 1000); // 1 ساعت
app.use(session({
name: 'session',
keys: ['key1', 'key2'],
cookie: {
secure: true,
httpOnly: true,
domain: 'example.com',
path: 'foo/bar',
expires: expiryDate
}
}));3. Prevent NoSQL injections
NoSQL injection is a common attack on applications that use NoSQL databases. This attack may allow an attacker to extract sensitive information.
Solution
Using the package express-mongo-sanitize You can sanitize incoming data and prevent these types of attacks.
$ npm install express-mongo-sanitize
const mongoSanitize = require('express-mongo-sanitize');
app.use(mongoSanitize());4. Prevent ReDoS attacks
ReDoS or Denial of Service attacks in Regular Expression may cause server performance to decrease. From the tool safe-regex Use regular expressions to check if they are safe.
Example
var safe = require('safe-regex');
var regex = process.argv.slice(2).join(' ');
console.log(safe(regex));5. Prevent CSRF attacks
To protect your application against CSRF attacks that allow attackers to send malicious requests through legitimate browsers, use the module csurf Use.
const csrf = require('csurf');
app.use(csrf());
