lirantal

Learn how to secure your Node.js applications with the new Permissions Model, stay informed about security releases, and understand the Node.js Security Threat.

I published a couple of days ago an article on 9 curated Docker tips for Node.js developers to help you easily run one-off DevOpsy commands on your Node.js container apps. Hope you find it helpful 🐳

Get trained on secure coding techniques that are hacker-proof and build unbreakable Node.js and Server-side JavaScript apps.

Did you wake up this morning and not find a backdoor that opens your production server to remote access? Everything else is a bonus 😎

For those who missed the drama, quick TLDR: on Friday it was discovered that there is a malicious code in the xz utils package that is installed on Linux servers and allows remote access via ssh to malicious actors.

How is this also related to us in devs in JavaScript and Node.js land? I wrote what happened and also added my thoughts on the subject.

In this article we will review the following Node.js security concepts and their associated code snippets based on their effectiveness in preventing common security vulnerabilities and being very accessible to developers without requiring extra security expertise:

1. The Node.js Permissions Model
2. Implement input validation with a Fastify JSON schema
3. Secure password hashing with Bcrypt

Properly implementing authentication and authorization is crucial for securing Node.js apps. This section covers guidelines like proper session management, password hashing, and attack prevention.

An IDOR vulnerability was discovered in Clerk's Next.js SDK, what is it exactly?

Insecure direct object references (IDOR) are an important web application security concept that every developer should understand. IDOR vulnerabilities allow attackers to access unauthorized data and functionality by manipulating object identifiers used in web applications.

North Korean state hackers compromise npm supply chain with malicious packages; crypto thieves exploit Ledger Connect kit library published to npm, stealing $600k before detected; incident highlights risks of uncontrolled open source usage and need for better validation, monitoring of third party code.

Exploring the OWASP Top Ten list, and dissecting how Node.js applications can fall prey to command injection attacks. With practical insights, learn how to fortify your Node.js projects against this top security risk. Command injection may be no laughing matter, but this engaging exploration will have you smiling as you enhance your Node.js security expertise.

How do you identify vulnerable code patterns? Can you spot insufficient input validation? Enhance your Node.js development security with this guide to secure code review.

Let's explore a recently disclosed argument injection flaw in the popular 'blamer' npm package that allowed overwriting arbitrary files by exploiting the 'git blame' command. By passing unchecked user input directly to the Linux command, attackers could trigger damaging behavior.

Command injection vulnerabilities are not an abstract concept but a real and prevalent threat in the Node.js ecosystem. I’ve written an article about real-world cases of vulnerable npm packages to command injection attacks and references to other popular security incidents such as Shellshock that explain why and how these sort of insecure code patterns can lead to tangible security risks.

Raw HTTP replies are supported by Fastify and make a powerful way to interact with HTTP requests. That said, they can at times be a foot-gun. Here's why, and a suggested better way to stream data over HTTP.

As developers, we strive for robust and secure applications. However, one common security vulnerability that often remains unnoticed is command injection. In this blog post, we will explore command injection vulnerabilities in the context of Node.js and JavaScript, shedding light on the risks they pose to server-side backend development and how to protect our Node.js applications against them.

Whether you're a beginner or an experienced JavaScript developer, this Node.js Secure Coding book takes a comprehensive approach to security. From basic terminology to introduction to Command Injection, you'll learn about assorted patterns of insecure code observed in popular and well-known npm packages.

Master Node.js Security: Get Started with Secure Coding: The Definitive Guide to Defending Against Command Injection Vulnerabilities and Building Secure Node.js Applications

Learn why open-source libraries like node-serialize can be vulnerable to serialization security issues in Node.js. Adopt best practices!

If you're using MongoDB you might be vulnerable to Mass Assignment vulnerabilities in Node.js.

This issue of course extends to more than just MongoDB and the Mongoose library.

Check it out to learn more about this security issue:

Fancy learning some hidden APIs in Playwright? 🧙🏻‍♂️

In this post, I will show you some advanced usage patterns for working with Playwright in order to take a screenshot of a specific element and modify the contents of the image, either before taking the screenshot or after, using image preprocessing tools.

Advanced usage patterns for taking page element screenshots with Playwright testing framework.

Did you know that despite their utility, ease of implementation, and support from virtually every browser, only about 25% of mobile and 28% of desktop HTTP responses include HSTS headers?
Using Express? Using Fastify? This tutorial covers how to add HTTP Strict Transport Security headers to a running Node.js web application

Learn how to handle file uploads on a Fastify server using Node.js. In this tutorial, you'll use the Fastify framework to set up a file upload plugin and create an /upload route that can handle multiple file uploads

Are you sure Node.js Alpine Linux images for Docker are the best choice for you?

Might want to think again.
I posted an article with my detailed comparison of Node.js container images that are ideal for production usage.

Last week I updated my article on this topic :-)
I've specifically extended on why the the base image recommendation should *not* be alpine but rather a supported slim version of Debian. You probably want to dive into that first best practice in the article but if this is the first time you're reading it and you are often tasked with building container images and Dockerfile then you definitely want to give this comprehensive article a visit.

My article on dependency confusion supply chain concerns is finally published 🚀

I'm pretty hopeful you'll pick up a few things you didn't know about open source security in there, including several practice tips on how to detect and avoid dependency confusion which is still largely happening throughout corporates.

Sure, sometimes vulnerabilities in a Docker base image are irrelevant. They might be low severity, or targeting things like a compiler which we won't be particularly using inside a running application.

Until they don't, and you end up having a Node.js docker application running in production and it's an actual severe issue in the container image that results in a remote reverse shell, and overall command injection vulnerability.

I wrote a thing 👋
Docker for Node.js developers 🔥
The naive way of building your own Docker Node.js web applications may come with many security risks. So, how do we make security an essential part of Docker for Node.js developers?
Step-by-step best walk-through inside ✨

What are typosquatting attacks and how do they impact open source developers? If you're a JavaScript developer then you should understand them and be conscious that you aren't mistakenly installing a package such as electron-native-notify - because hey, that's a malicious package! ☢️ https://snyk.io/blog/typosquatting-attacks/ #JavaScript #NodeJS #npm #Security

I did a Q&A interview with Ethan Arrowood about the Fastify NodeJS web application framework. We talked and discovered some interesting bits like his favorite features, what are some good signals for a health opensource project, and more.

🔥 What are the risks of command injections in NodeJS applications?

✅ Featuring a practical walk-through of an actual CVE for a NodeJS module which has a command injection vulnerability

I wrote about it here https://snyk.io/blog/command-injection/

Looking for the best ways to secure your React app? Then you’ve come to the right place!

I created this checklist of React security best practices to help you and your team find and fix security issues in your React applications. I’ll show you how to automatically test your React code for security-related errors and automatically fix them.

In this security article about prototype pollution vulnerabilities in Node.js command line libraries, Kirill builds a proof of concept vulnerable application and goes into details as to the concerns of such security issues.