What do you think?
Rate this book
Node Security
In DetailNode.js is a fast-growing platform for building server applications using JavaScript. Now that it is being more widely used in production settings, Node applications will start to be specifically targeted for security vulnerabilities. Protecting your users will require an understanding of attack vectors unique to Node, as well as shared with other web applications.
To secure Node.js applications, we’ll start by helping you delve into the building blocks that make up typical Node applications. By understanding all the layers that you are building on top of, you can write code defensively and securely. In doing so, you will be able to protect your user's data and your infrastructure, while still using the rock-star technology behind Node.js.
Teaching you how to secure your Node applications by learning about each of the layers you will be building on top of; starting with JavaScript itself, then the Node platform, and finally the npm module ecosystem. By starting with JavaScript, you will learn what to avoid and what to embrace. Next, we will explain the Node platform, including its unique architecture and core modules, so you know how things work under the hood. Finally, we will introduce the rich ecosystem of npm modules, including modules to help you solve the common security problems you might face. Through our handy tutorials, you will be able to write secure Node.js applications, ones that will remain online under pressure and be able to weather the most common attacks that face web applications today.
ApproachA practical and fast-paced guide that will give you all the information you need to secure your Node applications.
Who this book is forIf you are a developer who wishes to secure your Node applications, whether you are already using Node Security in production, or are considering using it for your next project, then this book will enable you to ensure security of your applications. An understanding of JavaScript is a prerequisite, and some experience with Node is recommended, though not required.
To secure Node.js applications, we’ll start by helping you delve into the building blocks that make up typical Node applications. By understanding all the layers that you are building on top of, you can write code defensively and securely. In doing so, you will be able to protect your user's data and your infrastructure, while still using the rock-star technology behind Node.js.
Teaching you how to secure your Node applications by learning about each of the layers you will be building on top of; starting with JavaScript itself, then the Node platform, and finally the npm module ecosystem. By starting with JavaScript, you will learn what to avoid and what to embrace. Next, we will explain the Node platform, including its unique architecture and core modules, so you know how things work under the hood. Finally, we will introduce the rich ecosystem of npm modules, including modules to help you solve the common security problems you might face. Through our handy tutorials, you will be able to write secure Node.js applications, ones that will remain online under pressure and be able to weather the most common attacks that face web applications today.
ApproachA practical and fast-paced guide that will give you all the information you need to secure your Node applications.
Who this book is forIf you are a developer who wishes to secure your Node applications, whether you are already using Node Security in production, or are considering using it for your next project, then this book will enable you to ensure security of your applications. An understanding of JavaScript is a prerequisite, and some experience with Node is recommended, though not required.
94 pages, Kindle Edition
First published January 1, 2013
2 people are currently reading
21 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 3 of 3 reviews
January 29, 2014
As in previous occasions, Packt Pub sent me this ebook for review. Naturally, as the book's title says, this is not a general / beginner's book for Node.js, but, in spite of that, the book starts with an opening chapter explaining the history of node.js, how it is different and with the canonical createServer example one finds everywhere. Maybe this chapter, notwithstanding its brevity, was not really needed, since the audience for the book surely already know these things.
Then it follows with a "general considerations" chapter that is more general javascript than node actually, starting with ES5's strict mode and then including explanations of functions that everyone knows, such as the risks of using eval(), and also others some programmers might not be that aware of, such as seal(), freeze(), object property descriptors, and then moving on to static program analysis with JSLint / JSHint as another tool in your belt before really approaching node.js' security concerns proper. There are also general recommendations and what to look for in npm modules.
However more than security, we should be talking about the wider defensive coding / good practices spectrum, such as correctly handling exceptions, correctly using error callbacks, monitoring processes or node Domains (introduced in v. 0.8).
The next chapter moves into applications, briefly introducing express and connect and then a brief how-to on using the standard choice of passport.js, and also third party solutions, such as OpenID and OAuth, of course. What strategies are out there and how to plug the different middlewares is also taken care of. Logging is also discussed as part of the things the conscious developer should not neglect too, and general recommendations about it are given, recommendations that are good for any language or application platform, in any case, as the fact is that it is basically OWASP's guidelines that's being followed here.
The winston module for logging is the one chosen for specific node.js usage, here, as it seems to be the most favoured, although there are others, which is also why the author chose to tell the reader what to look for in modules to also make sure that these third-party pieces are also secure and well-managed.
The last two chapters are devoted to requests and to responses. The request chapter deals with request size limits, use of streams, and how they help protecting your app from attacks stemming from large payloads. Also how to monitor the event loop for health using node-toobusy module (sample taken from github). Then comes CSRF, input Validation (node-validator / express-validator).
Regarding the response layer, well-known stuff such as XSS, with several examples explaining what it is, and some simple scenarios, and DoS are explained. The XSS and related injections are probably the area that's explained more in-depth.
Then, the Helmet module is introduced as a way of mitigating risks with a series of specific http headers and mechanisms such as CSP (content security policy - check browser support here), HSTS, but which are embodied in specific headers anyway. Adequate examples of configurations for these headers are given.
With that this book comes to an end. All in all, it's not a bad book at all, but it is clearly oriented to the somewhat still novice node.js programmer, that might not be aware of all the good practices and security concerns alike that need to be taken care of in node.js / express apps. While I can't speak for anyone out there, I want to imagine that more experienced developers are familiar with the things discussed here, as they are mostly the most well-known tooling for these concerns. For those learning node or creating their first apps, I believe this is a valuable resource.
February 14, 2014
This book is an essential guide related with web applications’ security with special emphasis, as its name remarks, in these applications built in NodeJS.
It tells in details how web applications’ vector attacks remain independent of the platform used, although some platforms have different behaviour in front of those attacks. The book provides the knowledge of the the best practices to mitigate and protect your NodeJS web applications of those recognised vector attacks, driven by simple practical examples and picking ones of the most famous NodeJS modules available to make your life easier.
Definitely, I recommend to read this book, if your are developing NodeJS applications and you aren’t a master of the web security or you are, but you are starting to develop in NodeJS.
Let’s go for it in Packt
It tells in details how web applications’ vector attacks remain independent of the platform used, although some platforms have different behaviour in front of those attacks. The book provides the knowledge of the the best practices to mitigate and protect your NodeJS web applications of those recognised vector attacks, driven by simple practical examples and picking ones of the most famous NodeJS modules available to make your life easier.
Definitely, I recommend to read this book, if your are developing NodeJS applications and you aren’t a master of the web security or you are, but you are starting to develop in NodeJS.
Let’s go for it in Packt
February 12, 2014
Nice and practical, with useful link to tools and without much philosophy about security (that can be a pro or a con)
Displaying 1 - 3 of 3 reviews