NodeJS Security & NodeJS Secure Coding’s Blog
https://www.nodejs-security.com/
Master hands-on Node.js security with Node.js Secure Coding education and learn how to defend against JavaScript Command Injection vulnerabilities and gain backend development skills to exploit and prevent Path Traversal attacks by reviewing real-world vulnerable npm packages and insecure code.
フィード
How to Avoid JWT Security Mistakes in Node.js
NodeJS Security & NodeJS Secure Coding’s Blog
Learn how to use JSON Web Tokens (JWT) securely in your Node.js applications. I'll cover the basics of JWT and share best practices to avoid common security mistakes.
1年後
Can a Node.js Secure Code Review Find Future Vulnerabilities?
NodeJS Security & NodeJS Secure Coding’s Blog
Half a dozen secure code review comments and none of them mentioned the potential security vulnerability that exists in the code snippet. Let's dive into a Node.js secure code review and see if you can spot the security bug you totally missed.
16日前
The Okta bcrypt Security Incident and The Bun vs Node.js Angle in Secure By Design
NodeJS Security & NodeJS Secure Coding’s Blog
Even if you follow security best practices and choose bcrypt for password hashing you can still get it wrong. How does Bun handle it in a more secure fashion? What happened with the Okta bcrypt incident? Lets dive in.
1ヶ月前
NodeJS Path Traversal Vulnerability Scanner
NodeJS Security & NodeJS Secure Coding’s Blog
How about a more offensive side of security? Check out a NodeJS path traversal vulnerability scanner.
2ヶ月前
Do not use secrets in environment variables and here's how to do it better
NodeJS Security & NodeJS Secure Coding’s Blog
Stop storing secrets in environment variables. It's a bad practice and only fits hobby or side projects with no real business impact. Here are all the reasons why you should never store secrets in environment variables and how to do it better.
3ヶ月前
How to use npm audit
NodeJS Security & NodeJS Secure Coding’s Blog
Getting started with the npm audit command and learn why it's not enough and how to advance your project's security posture with more robust security tools like Snyk.
3ヶ月前
How to use yarn audit
NodeJS Security & NodeJS Secure Coding’s Blog
Better some security than none at all. If you're using Yarn package manager, learn about `yarn audit` and how to use it to check for vulnerabilities in your dependencies.
3ヶ月前
Raw SQL Queries are Actually Better for Security Than ORMs?
NodeJS Security & NodeJS Secure Coding’s Blog
Have I gone mad? Do I actually recommend not using an ORM and actually gaining a security advantage? Sort of. It's more nuanced but if we're trying to fix SQL injection and related vulnerabilities then I invite you to take a read.
3ヶ月前
Node API Security
NodeJS Security & NodeJS Secure Coding’s Blog
Briefly exploring core concepts around Node API security with regards to GraphQL and REST API design with code examples specific to Node.js application servers.
3ヶ月前
Is Node.js Secure?
NodeJS Security & NodeJS Secure Coding’s Blog
Briefly exploring the Node.js threat model to draw some opinions on whether Node.js is secure or not.
3ヶ月前
URL Regex Validation: what can go wrong?
NodeJS Security & NodeJS Secure Coding’s Blog
Are you using regex to validate URLs? Learn from a CVE identified in the node-forge npm package that was using a regex pattern to validate URLs and resulted in a security vulnerability.
3ヶ月前
Uncovering a Prototype Pollution Regression in the core Node.js project
NodeJS Security & NodeJS Secure Coding’s Blog
Learn how I discovered a Node.js core prototype pollution regression, its security implications, and why it didn't warrant a CVE. Luckily, I also fixed it for us!
4ヶ月前
Deno CLI Vulnerability Repeats npm mistakes: CVE-2024-37150
NodeJS Security & NodeJS Secure Coding’s Blog
A recent security issue in the Deno CLI (CVE-2024-37150) highlights the importance of secure credential handling. Learn how this vulnerability mirrors past npm CLI mistakes and what you can do to stay secure.
4ヶ月前
Security skills for JavaScript developers
NodeJS Security & NodeJS Secure Coding’s Blog
JavaScript developers need security skills to safeguard user data, prevent application breaches, and maintain user trust. Learn about essential security skills for writing secure code and fixing vulnerabilities in JavaScript applications.
5ヶ月前
Understanding and Preventing Prototype Pollution in Node.js
NodeJS Security & NodeJS Secure Coding’s Blog
Learn about Prototype Pollution in Node.js: what it is, how it works, and how to prevent it. Includes real-world examples and security best practices for developers.
5ヶ月前
How to protect against a security breach in React Server Components
NodeJS Security & NodeJS Secure Coding’s Blog
Sasha shares how they inadvertently wrote a React Server Component code that would have resulted in a security breach, if not refactored in time to fix the issue. What can we learn and how to avoid security risks that developers easily repeat, especially as it blurs the line between client-side and server-side React code.
6ヶ月前
IDOR Vulnerability: What is it and how to prevent it?
NodeJS Security & NodeJS Secure Coding’s Blog
Interestingly enough, the IDOR vulnerability type is found as a CVE more commonly in some languages rather than others. Why is that and how can you prevent it?
6ヶ月前
The security vulnerability of serving images via a route as opposed to static middleware in Node.js
NodeJS Security & NodeJS Secure Coding’s Blog
The most upvoted Reddit answer to a question about serving images via a route in Express.js is a security vulnerability waiting to happen.
6ヶ月前
Why is it considered a bad practice to write raw SQL commands?
NodeJS Security & NodeJS Secure Coding’s Blog
Are we going to settle the debate between raw SQL queries and ORMs once and for all? Let's explore the pros and cons of each approach and find the right balance between control and convenience.
7ヶ月前
JS Security Concepts for JavaScript Developers
NodeJS Security & NodeJS Secure Coding’s Blog
Enhance your development workflow with JavaScript security best practices. Learn about Content Security Policy (CSP) in Nuxt.js, avoiding `eval` and `new Function` with untrusted input, secure DOM manipulation, cookie security, and third-party integration.
7ヶ月前
Secure Coding Practices in Node.js Against Path Traversal Vulnerabilities
NodeJS Security & NodeJS Secure Coding’s Blog
Path traversal vulnerabilities were discovered in webpack and backstage npm packages. Learn secure coding practices to prevent path traversal attacks in Node.js applications.
7ヶ月前
Secure JavaScript Coding Practices Against Command Injection Vulnerabilities
NodeJS Security & NodeJS Secure Coding’s Blog
Secure JavaScript coding practices are essential to prevent command injection vulnerabilities in Node.js applications. Learn how to avoid common pitfalls and protect your code from exploitation.
7ヶ月前
To IDOR or Not to IDOR: Insecure Direct Object Reference in JavaScript Applications Explained
NodeJS Security & NodeJS Secure Coding’s Blog
Can you spot an Insecure Direct Object Reference (IDOR) vulnerability in your JavaScript application? Learn what IDOR is, how it can be exploited, and how to prevent it in your code.
7ヶ月前
npm vulnerabilities: reviewing the security of your dependencies
NodeJS Security & NodeJS Secure Coding’s Blog
Learn about recent npm vulnerabilities in popular npm packages and how to protect your applications from security reports disclosed in 2024.
8ヶ月前
Disclosing code injection vulnerabilities in safe-eval-2 npm package
NodeJS Security & NodeJS Secure Coding’s Blog
A project fork is not without risks, and this time it's the safe-eval-2 npm package that is vulnerable to code injection attacks.
8ヶ月前
Introducing Node.js Security Permissions Model, Threat Model, and Security Releases
NodeJS Security & NodeJS Secure Coding’s Blog
Learn how to secure your Node.js applications with the new Permissions Model, stay informed about security releases, and understand the Node.js Security Threat.
8ヶ月前
Common Node.js Security Issues and How to Mitigate Them
NodeJS Security & NodeJS Secure Coding’s Blog
Learn about common Node.js security issues and how to mitigate them. This blog post covers Denial-of-Service (DoS) attacks, DNS rebinding attacks, unintended package publication, information exposure via timing attacks, and command injection vulnerabilities.
8ヶ月前
How JavaScript developers should embrace npm security
NodeJS Security & NodeJS Secure Coding’s Blog
The npm ecosystem is a minefield of security risks. How can JavaScript developers protect from these threats and adopt npm security best practices? Here's how.
8ヶ月前
The XZ backdoor CVE-2024-3094: a JavaScript perspective
NodeJS Security & NodeJS Secure Coding’s Blog
The XZ backdoor CVE-2024-3094 already happened in JavaScript 5 years ago but now the xz and liblzma malware bundled onto Linux distributions is bringing forth a world-wide threatening event in cybersecurity that jeopardizes the trust, sustainability and security concerns in the open-source ecosystem.
9ヶ月前
Node.js Security Best Practices
NodeJS Security & NodeJS Secure Coding’s Blog
Level up your Node.js security game! This guide explores essential best practices to safeguard your server-side code and build robust, secure applications.
9ヶ月前
The Case for Node.js Secure Configuration
NodeJS Security & NodeJS Secure Coding’s Blog
How do you maintain Node.js secure configuration? Learn how to protect your Node.js applications from vulnerabilities and unauthorized access.
9ヶ月前
Protecting Against Common Node.js Vulnerabilities
NodeJS Security & NodeJS Secure Coding’s Blog
Node.js applications can be vulnerable to issues like command injection, path traversal, and insecure APIs. Learn how to avoid these common Node.js security pitfalls.
10ヶ月前
Input Validation Security Best Practices for Node.js
NodeJS Security & NodeJS Secure Coding’s Blog
Building secure node.js applications starts with applying essential input validation best practices and techniques to prevent common security vulnerabilities.
10ヶ月前
A Node.js Vulnerability Scanner to Avoid Security Risks of EOL Runtime Versions
NodeJS Security & NodeJS Secure Coding’s Blog
Don't let vulnerabilities slow you down: Introducing is-my-node-vulnerable, the Node.js vulnerability scanner. Securing your Node.js applications in production is crucial. This blog post explores is-my-node-vulnerable, a free and easy-to-use scanner developed by Node.js expert Rafael Gonzaga.
10ヶ月前
JavaScript Security Issues in Node.js Applications
NodeJS Security & NodeJS Secure Coding’s Blog
Introducing JavaScript security issues in Node.js applications such as Cross-site Scripting (XSS) and Content Security Policy (CSP).
1年前
OWASP Node.js Authentication, Authorization and Cryptography Practices
NodeJS Security & NodeJS Secure Coding’s Blog
Properly implementing authentication and authorization is crucial for securing Node.js apps. This section covers guidelines like proper session management, password hashing, and attack prevention.
1年前
OWASP Node.js Best Practices Guide
NodeJS Security & NodeJS Secure Coding’s Blog
Learn how to secure Node.js applications with OWASP's comprehensive best practices guidelines and practical techniques for authentication, authorization, cryptography, input validation, and more.
1年前
Secure JavaScript Coding to Avoid Insecure Direct Object References (IDOR)
NodeJS Security & NodeJS Secure Coding’s Blog
Insecure direct object references (IDOR) are an important web application security concept that every developer should understand. IDOR vulnerabilities allow attackers to access unauthorized data and functionality by manipulating object identifiers used in web applications. In this post, I'll explain IDORs and provide examples to help you prevent these issues in your Node.js and JavaScript server-side applications.
1年前
North Korea malware on npm and Ledger connect-kit crypto heist
NodeJS Security & NodeJS Secure Coding’s Blog
North Korean state hackers compromise npm supply chain with malicious packages; crypto thieves exploit Ledger Connect kit library published to npm, stealing $600k before detected; incident highlights risks of uncontrolled open source usage and need for better validation, monitoring of third party code.
1年前
10 Best Practices for Secure Code Review of Node.js code
NodeJS Security & NodeJS Secure Coding’s Blog
Learn best practices and strategies to identify and prevent command injection vulnerabilities in your JavaScript projects. Discover the power of secure code reviews, secure API usage, and Node.js-specific tips. Explore further with our book, 'Node.js Secure Coding: Defending Against Command Injection Vulnerabilities,' and fortify your skills.
1年前
Node.js and OWASP Top Ten Command Injection: Don't Let Your App Go 'BOOM'
NodeJS Security & NodeJS Secure Coding’s Blog
Exploring the OWASP Top Ten list, and dissecting how Node.js applications can fall prey to command injection attacks. With practical insights, learn how to fortify your Node.js projects against this top security risk. Command injection may be no laughing matter, but this engaging exploration will have you smiling as you enhance your Node.js security expertise.
1年前
Secure Code Review Tips to Defend Against Vulnerable Node.js Code
NodeJS Security & NodeJS Secure Coding’s Blog
How do you identify vulnerable code patterns? Can you spot insufficient input validation? Enhance your Node.js development security with this guide to secure code review.
1年前
Destroyed by Dashes: How Two Hyphens Cause Argument Injection Vulnerability in blamer npm Package
NodeJS Security & NodeJS Secure Coding’s Blog
Let's explore a recently disclosed argument injection flaw in the popular 'blamer' npm package that allowed overwriting arbitrary files by exploiting the 'git blame' command. By passing unchecked user input directly to the Linux command, attackers could trigger damaging behavior.
1年前
Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples
NodeJS Security & NodeJS Secure Coding’s Blog
This article explores real-world command injection vulnerabilities that have impacted popular applications, emphasizing the need for secure coding practices. We take you through the background of Node.js and its vast user base, setting the stage for understanding the gravity of command injection attacks.
1年前
An Introduction to Command Injection Vulnerabilities in Node.js and JavaScript
NodeJS Security & NodeJS Secure Coding’s Blog
Command injection vulnerabilities pose a significant threat to Node.js and JavaScript applications' security. By understanding the risks involved, referencing real-world incidents, and following best practices, developers can effectively mitigate these vulnerabilities. Remember, validating and sanitizing user input, utilizing command argument separation, and following the least privilege principle are essential steps toward creating secure applications.
1年前