Node.js Security Best Practices: JWT blacklisting, rate limiting, schema validation

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey friends welcome back today is a very exciting day because we're finally going to be covering security best practices of noah. JS Yes you heard me right and it's going to be a series of videos where we're going to dive deep into some topics that may be obvious or non obvious or even super Advanced for you so bule up and let's get started what I like about this topic is that it's basically applicable to other languages and Frameworks as well if you're developing web applications with that said let's start with the very first point that we have today we're going to have seven points and in the following videos we're going to cover even more even detailed points so let's start with the first one rate limiting what is it and why do we even need it well there's a thing called dosex or to be concrete DS attacks nowadays what it stands for is distributed denial of service attack this is when a hacker acts as a client and sends a bunch of requests to our server in order to bring it down a bunch meaning thousands or even tens of thousands requests simultaneously so that our server is busy and is not able to process any further requests well how do you basically secure yourself from that well you use a rate limiter and the rate limiter basically defines how many processes or requests a node server is going to accept at a given time all right and the very basic way of installing a rate limiter on your node.js server is by using one of the coolest libraries called Express rate limit here it's this is the way you use it literally on line and of course you can Define how hard your rate limiter should be but I wouldn't suggest using it in like scaled applications in bigger application it's fine for your pet project the reason is rate limiter doesn't really belong to your node application because your node application is mostly concerned about the business logic all right rate limiter should probably live in an engine X server and the way you add it it's literally one line as well so it's also very simple and you might ask why do I need an engine X server with my node.js well the answer is it's a pretty common practice to have an engine X server running in front of your node.js server all right this is why people usually put the rate limiter into an engine X server so that it handles it for you now another point is that if we go one step further is the are the cloud providers if you're using one of the cloud providers already like AWS or Microsoft Azure or whatever Google Cloud maybe you should use one of their solutions for example AWS already has a built-in request rate limiter that you can simply attach to your API Gateway meaning you don't even need to use it on an engine X level all right okay now the second point is password encryption let's talk about this you probably know that if whenever you're registering a user on your server on in your app the user let's say puts ABC as a password just a theoretical password we wouldn't store this ABC in our database as a plain St rink like ABC the reason is if our database gets compromised meaning if the hackers get access to our database and they can read all the passwords they can literally take this password and later log into our system using exactly this password so whenever you encrypt it meaning this password ABC is no longer going to be ABC but some really random hash so that the hacker is not able to figure out the original password and the way you do it is by using BPT all right BPT is one of the biggest packages for node.js that people are using literally every everyone is using everyone that I know so I would suggest going with this as well and of course it's pretty secure the way it hashes your passwords is first of all it uses one of the modern hashing algorithms it also adds ass salt to it salt is basically a random string that gets hashed together with your password and it does one round of hashing then it does a second third fourth basically a very complicated and obviously the more rounds of hashing you add the more sec secure your password is going to be encrypted but it also takes longer to process it okay let's admit security is a pretty important topic and what do you usually do with such important topics well of course you document it for the future reference and one of our sponsors is doing exactly that it helps you to document with the help of the AI and this leads to doo doo is an AI powered knowledge based platform which makes it easy to build a self-service knowledge base for your customer and developers doco lets you have your documentation in different places as a private space or in a team project in my case I already have my awesome AI project so I will go into it but unfortunately I don't have any documents here and it's completely empty well I don't want to waste time creating all the directories and the outlines so I will use the AI and here I can type my target audience for example Automotive companies web developers data scientists software Engineers you can put anything that you think can think of you can also put your product description so that the AI is aware of it in my case it's an AI algorithm for detecting the road lanes and now you can simply click generate and now after a few seconds it already proposed a good setup I will click apply because it seems quite good to me and now I have the structure on the left how cool I saved a lot of time instead of creating all of this myself course I'm also interested in actually filling out one of this documents and I want to add some code examples I mean I already have code examples in my GitHub but I first want to create a kind of an outline for actually installing open CV and Python and or rather integrating all them together so I will create a quick start for developers and I will add more information such as a guide for open CV and python integration and I will click generate 2 seconds later I already have my step-by-step guide so that I'm not going to miss anything because it literally covered everything that I needed it crazy and now after saving it you can even publish it as a document on a hosted website and of course you can choose whatever domain you want in my case it's an AI project. spreading. go check it out Link in the description the next Point JWT blacklisting we probably already use JWT in your server font Communication in order to manage sessions okay it's a very it's very popular now it is but here's the thing if your banking system or some very highly vulnerable system you probably want to have a way to Blacklist your JWT tokens what does it mean well J jwt's live on the client okay so the server issues the JWT and that it lives in the browser of the client there's no way of the server to revoke this JWT let's say we have a case where this JWT gets compromised and we get an information about it from some source and now we want this client to no longer have this JWT but how can we do that we can just do this because we don't have access to the browser of the client so so we can use JWT blacklisting but it's not that simple one way of doing this is let me actually remove all of that one way of doing this is first of all saving the session of the JWT in the database why well jts already have a built-in expiration date okay expiration dates can be short or long lived and if it gets compromised we already know which JWT got compromised and we simply revoke it from our database and the next time the client sends the JW we check it against the database okay it's compromised it's no longer there we don't process it you have to Reg or log in again now this goes against the concept of jts because they are supposed to be stateless you can't Simply Save jts in the database again all right because yeah that's the whole point of jts that they have to be living in a client well there is a different way of dealing with that which is issuing two tokens all right one JWT token and the second one is a refresh token meaning we will make this J T very shortlived literally 3 minutes let's see and we also have another token a refresh token meaning we save the refresh token in the database meaning okay we're not copying the JWT it's a different token and if the JWT that comes to our server has has been expired because it's very shortlived we simply ask the client to send the refresh token as or actually the refresh token goes at the same time to the server we check the refresh token and that if the refresh token has is is matching the one that we have in the database we simply issue the new JWT right away all right so that if the JWT is shortlived we don't force the user to login every 3 minutes okay now the next point is Json schema validation why is it important well everything that comes to our server is basically vulnerable every user input every post get request that the client makes to our server has to be verified and the way you do it is basically having a schema for the request body that's coming from your client this is basically like a typescript for HTTP calls so you say I'm expecting these lines I'm expecting a type string I'm expecting a zip property which should be a string a country which should be a string and so on and you can even make some of them optional and then as soon as the request has reached the node server we're going to check against this Json schema okay that's why it's called Json schema validator so definitely use it it's very important nowaday the next one is escaping HTML and CSS your client might send HTML and CSS code and of course it's very important to escape them too for example if the client sends an N % yeah character this might be a vulnerability because they might do a SQL injection or some other things that's why it's very hard it's very important to escape it and of course it's very simple as you can see it's literally just wrapping it within the uh method so definitely keep this in mind if you're library that you're of the parser like B parser or any library that you're using basically to deconstruct your request body already does that maybe you don't need a library but keep this in mind the next point is omm and odm against injections again this goes hand inand with kind of escaping but not really because this is more about database communication what is an orm well orm is something like sqlite okay or something like you probably also heard it basically an extra layer that sits on top of your no server or rather between the node server and these databases for example Oracle postgress my my SQL Mario DB SQL and so on and mongus is of course for document oriented databases like mongodb what does it do well it doesn't let you write I mean of course it does let you write um SQL statements or SQL queries but it's much simpler for example if you want to make a post request you simply do user. create because you already have a user schema and then you supply everything in a j Json notation okay very simple and of course if you want to select something from the database you no longer do select this this from user user table but rather do this and you're all set okay this is very easy and of course it sanitizes your um your your queries that you're doing to the database at the same time all right this is very important as well because yeah user input that can come from the client get has to be sanitized at this point all right the next point is security lter I actually didn't know about this before preparing for this video but turns out there's an Aslin plugin that is that seems to be very useful what does it do well it basically adds these extra rules to your code so that the lter checks your code during while you're writing writing the code so that you don't write any vulnerable code all right these new buffer and so on um uh regx related stuff csrf related stuff so it's very useful go check it out as well I will put all the links in the description all right if you found value from this video don't forget to subscribe so that you don't miss the new videos because there's going to be part two and part three and most likely part four that are also very important
Info
Channel: Software Developer Diaries
Views: 7,762
Rating: undefined out of 5
Keywords: software development, software developer, programming, software engineering, javascript, web development, coding, nodejs, node js securiy best practices, nodejs secure api, nodejs passport, nodejs jwt, web security nodejs, nodejs rate limiter, nodejs aws, nodejs google cloud, nodejs microsoft azure, express.js security best practices
Id: DYme1m4RiwI
Channel Id: undefined
Length: 12min 2sec (722 seconds)
Published: Mon Nov 20 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.