\
Express is a fast, unopinionated, and minimalist web framework for Node.js. It has been a de facto choice for creating a web-server application in Node.js. If you want to use Express in your application, you need to read this article.

\
Let’s see how you can make Express more secure.

# Use Updated Express Version (and any other npm package)

Old versions of Express have vulnerabilities like __[Path traversal (CVE-2017–14849)](https://www.thesmartscanner.com/vulnerability-list/web-server-path-traversal)__. The best practice is to use the latest stable packages to mitigate such vulnerabilities. You can use the `npm audit` command to find out known vulnerabilities in your Nodejs application. Then you can fix them by running the `npm audit fix` command. Make sure to get 0 vulnerabilities in the report of the npm audit command.

# Secure your HTTP Headers

Proper HTTP headers can prevent security vulnerabilities like Cross-Site Scripting, Click-jacking, Packet sniffing and, information disclosure. It’s better not to use Express with its default HTTP headers. Try the __[Helmet](https://www.npmjs.com/package/helmet)__ npm package for hardening the HTTP headers of your Express project. 

\
Below is a sample code.

\
```javascript
const express = require("express");
const helmet = require("helmet");const app = express();app.use(helmet());// ...
```

\
Read the __[Complete guide to HTTP Headers](https://www.thesmartscanner.com/blog/complete-guide-to-http-headers-for-securing-websites-cheat-sheet)__ for more detailed information about HTTP Headers security.

# Validate Input

Hackers should find a way into your application and, request parameters are their first choice. All the injection vulnerabilities like __[SQL Injection](https://www.thesmartscanner.com/vulnerability-list/sql-injection)__, __[Command Injection](https://www.thesmartscanner.com/vulnerability-list/os-command-execution)__, __[Expression Language injection](https://www.thesmartscanner.com/vulnerability-list/expression-language-injection)__, and many others occur when unvalidated user input is directly used in performing tasks.

\
Consider the below code which gets your name in the `name` query parameter and displays it.

\
```javascript
const express = require('express')
const app = express()app.get('/', function (request, response) {
 response.send('Hello ' + request.query.name)
})app.listen(3000)
```

\
If you send a request like `http://localhost:3000/?name[foo]=bar` then you will receive an Object instead of a String name. This is an attack known as HTTP Parameter Pollution (HPP). It can be very scary when working with a no-SQL database like MongoDB.

\
Before processing any `request` parameter, validate the following:

\
* Input type (either String, Number, Boolean, etc.)
* Input boundaries: Check range for numbers, length, and acceptable characters for strings
* Input format: Check for input patterns like emails, IP addresses, etc.

\
You can use __[hpp](https://www.npmjs.com/package/hpp)__ npm package to prevent HPP attacks.

\
Input validation is a broad topic. It can be very tricky, especially dealing with rich user content. You can read __[this article](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)__ for an in-depth review.

# Sanitize Output

The below sample code exposes a Cross-Site scripting (XSS) vulnerability.

\
```javascript
const express = require('express')
const app = express()app.get('/', function (request, response) {
 response.send('Hello ' + request.query.name)
})app.listen(3000)
```

\
If you run the application and open `http://localhost:2000/?name=<script>alert(1)</script>` URL, the `alert(1)` JavaScript code will be executed. XSS bug allows an attacker to run any client-side code to steal session tokens, passwords or display wrong information.

\
 ![](https://cdn.hackernoon.com/images/96K2x0eTswTFYtApO1Ckp0eukpf2-cxa3lmt.png)

To prevent the XSS you have to use proper encoding before rendering input parameters in the response. You can use __[node-esapi](https://github.com/ESAPI/node-esapi)__ or __[escape-html](https://github.com/component/escape-html)__

\
Below code is a fix for the above XSS:

\
```javascript
const express = require('express')
var ESAPI = require('node-esapi');
const app = express()app.get('/', function (request, response) {
 encodedName = ESAPI.encoder().encodeForHTML(request.query.name)
 response.send('Hello ' + encodedName)
})app.listen(3000)
```

# Use Anti CSRF

Processing form data and performing actions only by relying on the form data will cause a Cross-Site Request Forgery (CSRF). If the same request data (either form data or URL query) causes the same action on your application, then you have a CSRF issue. It gets serious when the action is sensitive, like creating a new user or deleting data.

\
Attackers use CSRF to perform actions on behalf of an authorized user while the user is unaware of this action. Below sample code is an example that kills the app by a CSRF.

\
```javascript
const express = require('express')
const app = express()app.get('/', function (request, response) {
 response.send('<h1>Admin Panel</h1><a href=/kill>kill</a>')
})app.get('/kill', function (request, response) {
 process.exit()
})app.listen(2000)
```

\
You might wonder if adding cookie-based session management cannot prevent CSRF because Cookies are automatically sent by browsers. To prevent CSRF you should send random tokens within each request and validate the existence of the CSRF token before processing the request.

You can use the __[csurf](https://www.npmjs.com/package/csurf)__ npm package for integrating CSRF prevention in your Express application.

\
In the next article, we will see how to prevent brute force attacks, command execution, and information disclosure vulnerabilities.


---

Also published [here.](https://www.thesmartscanner.com/blog/how-to-secure-your-nodejs-express-javascript-application-part-1)

Scan your web application for vulnerabilities

2021 - HackerNoon Contributor of the Year - HACKING

2022 - HackerNoon Contributor of the Year - Application

2022 - HackerNoon Contributor of the Year - Testing

2022 - No No No Nodejs

Nominated for 2022 - HackerNoon Contributor of the Year - Application

Nominated for 2022 - No No No Nodejs

Nominated for 2022 - HackerNoon Contributor of the Year - Testing

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

Securing your NodeJs Express Application — Part 1

Too Long; Didn't Read

@smartscanner

RELATED STORIES