Common security issues

Mongo or SQL injection

This is when a user injects a query into our queries via url strings to attach our db.

To solve this, we stop users adding dollar signs or colons etc into our queries

  1. Use Express Mongo sanatize NPM package
  2. Require
  3. app.use

Cross Site Scripting (XSS

This is when hackers inject client side script into someones webpage to steal user information. This accounts to 84% of all vulnerabilities. Whenever you add a search query to the url string or print out what the user searches, that gives hackers a chance to add their own scripts to our website and send the link out to people to trace their information.

We can solve this by sanatizing our HTML with JOI

  1. Install sanitize html NPM package
  2. Require package
  3. Create a Joi extension to sanitize HTML using above package
  4. Call the Joi extension
  5. Add .escaptHTML() at the end of each part in Joi I want to sanitize

Easy changes to cookies to make more secure

  1. Change cookie name to anything else
  2. Set httpOnly to true
  3. Set secure to true

Don't show error stack trace in production

Use Helmet NPM package to manipulate http headers to add security

Helmet adds extra headers into the http requests to add security features to defend against clickjacking and other attacks.

  1. Instead Helmet NPM package
  2. Require package
  3. app.use
  4. Configure our own content security policy

List of sources

    Colt Steeles web developer bootcamp 2021