View
73
Download
0
Category
Preview:
Citation preview
Let’s talk SecuritySecuring Your Node.js App
Dheeraj Joshi@dheerajhere
● Front-End @
● Open Source (medium-cli)
● Ambidextrous TT Player
About Me
More...
I wear White Hat.
Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon, etc.
What makes me happy?
Agenda
● Why ?
● Cross-site Scripting (XSS)
● Cross-site Request Forgery (CSRF)
● Content Security Policy (CSP)
● Useful Headers
● Other Best Practices
● Demo
Why should Startups Care about Security?
Startups & SMEs are known to cut corners. One of the first things they cut is ‘Security'.
Github Reused password attack
HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS
The Shutdown
CROSS SITE SCRIPTING - XSS
● XSS attack users
● “Javascript Injection”
● Exploits can be bad,
really bad..
What is XSS?
Typical Reflected XSS
Stored XSS
Protect Yourself
● Input Validation
● Ensure that outputs are
HTML encoded
● Don’t reinvent the wheel
(Use proven sanitizers)
Content Security Policy (CSP)
Add Content Security Policy header
● Add HTTPOnly, Secure attributes on Session Cookie
CROSS-SITE REQUESTFORGERY (CSRF)
Because the attack is carried out
by the victim, CSRF can bypass:
● HTTP Auth
● Session-based auth
● Firewalls
CSRF Attacks
Prevention
● Only accepting POST requests
● Referer Protection
● Multi-Step Transactions
● URL Rewriting
● application/json
“CSRF Myths”Preventions that Won’t work
XSS + CSRF = ? (Demo)
List of useful HTTP headers
● Strict-Transport-Security:
max-age=16070400; includeSubDomains
● X-Frame-Options: deny
● X-XSS-Protection: 1; mode=block
Prevent Information Disclosure
Hide X-Powered-By
Or try this ;)
How to improve ?
● SECURITY.md
● Security Middleware
(helmet.js, kraken.js )
● OWASP Node Goat
Project
● NSP, Snyk
Questions ?
Thank you
@dheerajhere
@djadmin
Recommended