Home » Node.js

Express Server Security in Node.js

How to make your server secure instantly? This article is about making your Express server secure from very well known web vulnerabilities by setting HTTP headers appropriately.
Submitted by Manu Jemini, on December 15, 2017

Often it had been noticed that a server is used for various clients and still developers tend not to build their security because of various reasons. But it is very important indeed.

For this purpose, we have a middleware which will everything for us quickly and easily. Helmet will protect the server from 12 well-known vulnerabilities. These are listed below.

  1. contentSecurityPolicy - for setting Content Security Policy
  2. expectCt - for handling Certificate Transparency
  3. dnsPrefetchControl - controls browser DNS prefetching
  4. frameguard - to prevent clickjacking
  5. hidePoweredBy - to remove the X-Powered-By header
  6. hpkp - for HTTP Public Key Pinning
  7. hsts - for HTTP Strict Transport Security
  8. ieNoOpen - sets X-Download-Options for IE8+
  9. noCache - to disable client-side caching
  10. noSniff - to keep clients from sniffing the MIME type
  11. referrerPolicy - to hide the Referer header
  12. xssFilter - adds some small XSS protections

To ensure your security from these threats there are many ways, but Helmet is the by far the simplest.

First step: Create an Express.js server

Second step: run this command npm install helmet - save

Third step: add it to your server

var express = require('express')
var helmet = require('helmet')
var app = express();

app.get('/', function(req,res){

You can disable a middleware that’s normally enabled by default. This will disable frameguard but include the other defaults.

  frameguard: false

This is very useful and very handy to use. The Profit is clear. But what if the third party packages that you have used is not secure. I bet you never thought about that. Well, there are many ways to find the weakest link, but what I found very easy in nsp and using it is like walking in the park. Have a look.

First step: npm install nsp - g

Second step: run this command in your project directory nsp check

Express security check in Node.js

Now that you are aware of the weakest link, change it with something reliable but always check before you transcend to the production mode.

Comments and Discussions!

Load comments ↻

Copyright © 2024 www.includehelp.com. All rights reserved.