11.Security Best Practices

Security Best Practices and suggestions

Compromised Database

• Strongly encrypt passwords with salt and hash (bcrypt)
• Strongly encrypt password reset token (sha256)

Brute Force Attacks

Attacker tries to guess the password, by trying millions of passwords.

• Use bcrypt (to make login requests slow)
• Implement rate limiting (express-rate-limit) -- limit the number of attempts to login from a single IP address
• Implement maximum login attempts

Cross-site scripting (XSS) Attacks

Attacker tries to inject the script into page to run his malicious code.

• Store JWT n HTTPonly cookies
• Sanitize user input data
• Set special HTTP headers (helmet package)

Denial-of-service (DOS) Attack

Attacker sends so many requests to the server that it breaks down and the application will go unavailable

• Implement rate limiting (express-rate-limit)
• Limit body payload(in body-parser)
• Avoid evil regular expressions in the code

NOSQL Query Injection

Instead of inputing valid data, attacker inputs the query, inorder to create query expressions which we used in code.

• Use mongoose for MongoDB (because of schema types)
• Sanitize user input data

Other best practices and suggestions

• Always use HTTPS
• Create random password tokens with expiry dates
• Deny access to JWT after password change
• Don't commit sensitive config data to Git
• Don't send error details to clients
• Prevent Cross-Site Request Forgery (csurf package)
• Require re-authentication before a high-value action.
• Implement a blacklist of untrusted JWT
• Confirm user email address after first creating account.
• Keep user logged in with refresh tokens
• Implement two-factor authentication.
• Prevent parameter pollution causing uncaught exceptions.