alex996
Sugestion - Security Libraries and links
Nice series. I hope to see more soon.
I do not know how you imagine the future of the application will be, but in spite of that I would like to share here a little list of some libraries that i have found to be very useful for node security. I will assume that you will use sessions to authenticate and possibly tokens to reset passwords.:
- Helmet - https://www.npmjs.com/package/helmet. "... Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!..."
- csurf - https://www.npmjs.com/package/csurf. "... Node.js CSRF protection middleware..."
- keygrip - https://www.npmjs.com/package/keygrip. "... Keygrip is a node.js module for signing and verifying data (such as cookies or URLs) through a rotating credential system, in which new server keys can be added and old ones removed regularly, without invalidating client credentials...". Can be used easily with cookie-session: https://github.com/expressjs/cookie-session#using-a-custom-signature-algorithm
As for JWT, i usually like to share this video, that i think very illustrative (maybe too much...): JSON Web Tokens Suck - Randall Degges (DevNet Create 2018) - https://www.youtube.com/watch?v=JdGOb7AxUo0. There are some use cases for JWT at the end :)
Being dependent on too many libraries is not the most reliable thing, but they, nonetheless, can give some direction and awareness to problems and solutions.
Here is an interesting link: OWASP Top 10 Most Critical Web Application Security Risks - 2017- https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf
Great suggestions, @audiBookning! I was definitely going to use helmet and csurf for security. But as far as sessions go, I'd prefer to keep them server-side, so I'd use express-session instead of cookie-session. Also, it signs cookies with the built-in crypto module already, though keygrip might as well come in handy for password resets. I guess we'll see. Thanks for your notes!
