How to secure Node.Js apps: The ultimate guide

Subscribe to my newsletter and never miss my upcoming articles

NodeJs is the popular server-side scripting language and its one of the widely used in the javascript world. Perhaps you might be using it in your projects.

In this article, we will focus on some of the best practices for securing your web application.

Here’s the quick rundown with some express/node js modules which help secure your Node.js app:


Schneier’s Law stated:

Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.

We might not know exactly what your secret algorithm is, and the fact that you yourself cannot break the cypher secret code is irrelevant. You should focus on generating or using the algorithm in such a way that others can't break it.

An attacker may use common tools like substitution cyphers or polyalphabetic cyphers to recover the plaintext from the ciphertext. Do not use your own crypto, use standard one instead.

Bcrypt is one of the widely used and it has been around for quite some time and remains unbroken till date. It is a password hashing function.

How Dropbox securely stores your passwords?

Keep your dependencies up to date

Keeping third-party libraries up-to-date and keeping the track of it is quite important, as these libraries may risk your entire application.

HTTP response headers

HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 3600
Cache-Control: public, max-age=86400
Expires: Sat, 01 Aug 2020 08:26:52 GMT
Last-Modified: Sat, 01 Aug 2020 07:26:52 GMT
Server: Apache/2.4.1 (Unix)
Set-Cookie: __cfduid=ddcweqwertyasdfghjkil12mgrdd; expires=Mon, 31-DEC-20 00:00:00 GMT; path=/;; HttpOnly; SameSite=Lax
Vary: *
Content-Length: 2265
Connection: keep-alive
  • The HTTP 200 OK success status response code means that the request has succeeded.
  • The Accept-Ranges HTTP header is used by the server to inform about the unit that can be used to define the range.
  • The Access-Control-Allow-Origin header indicates whether the response can be shared with requesting code from the given origin.
  • The Age header contains the time the object has been in a proxy cache.
  • The Cache-Control header holds directives (instructions) for caching in both requests and responses.
  • The Expires header contains the date, after which the response is considered stale. If there is Cache-Control header, then the Expires header is ignored
  • The Connection header controls if the network connection stays open after the current transaction finishes.

- Strict-Transport-Security

The strict transport security ensures all requests after the first request made to the application are https. We also need to ensure that even the first request is secure and hence we would be using Helmet package to configure the HSTS. Even though we secured our session id cookie, we need to ensure all requests go over https even if we add another cookie and forget to set it to Secure, we'll still not be transmitting it in cleartext over an HTTP connection.

- X-Content-Type-Options

X-Content-Type-Options needs to be set as nosniff, this will protect from MIME sniffing attack and indicate the browser that content-type header should not be changed

helmet — It is an express module to set secure HTTP headers.

To install helmet-

npm install --save helmet

Using helmet middleware in an express app

Use cookies securely

HTTP Cookies are widely used throughout the web to identify the user’s session, store some data on the user's browsers, allowing the webserver to recognize the user as they navigate through the site, and generally contain sensitive data.

Some important points to remember while setting up the cookie -

  • Don’t store sensitive data in a cookie, unless it's required
  • Use HttpOnly to mitigate XSS attacks
  • Use SameSite to mitigate CSRF attacks
  • Use Secure to mitigate MITM attacks. It will let you forbid a cookie to be ever transmitted over simple HTTP.

Install Express session: express-session stores session data on the server and id in the cookie itself, and not the session data

npm install --save express-session

Using express-session middleware

Using cookie-session middleware

Cross-Origin Resource Sharing

The CORS mechanism describes new HTTP headers which provide browsers with a way to request remote URLs only when they have permission. This will be useful when trying to make API Call to a different domain, it will be blocked by the browser feature called same-origin policy.


Using cors middleware

npm install --save cors

Cross-Site Request Forgery

CSRF is a technique which allows the attacker to do any malicious tasks on behalf of the victim. It exploits a vulnerability in the application where the actual request and the forged request cannot be differentiated. Think, what if the attacker changes the password of your bank account and transfer all your money. Such attacks are called session-hijacking in which a user session is taken over by the attacker.

Install csurf:

npm install --save csurf

Using csrf middleware

Sending the token value back to the view

Error Handling

Recommendations in the node.js community are that you pass errors around in callbacks (Because errors only occur for asynchronous operations) as the first argument

Using async/await you can now get asynchronous control flow as you want:

Handling asynchronous error

Nodejs API Authentication of JWT Tokens

REST(Representational state transfer) is the widely used web architecture as it is flexible and simple to use. Generating jwt tokens for authenticating users to obtain access to resources is one of the secured approaches.

This will enable the use of a token instead of username and password for accessing each resource.

If you want to learn more on authentication, here you go -

Tools to check the security risk of open-source dependencies

Sqreen It protects your application from cross-site scripting, SQL injection, MongoDB injection, checks vulnerabilities against all broken files and 3rd party libraries, etc..

Snyk It helps you find and fix known vulnerabilities in your dependencies

Acunetix — It helps in the vulnerability of web applications and frameworks like Angular, React, Vue, Ember.

OWASP provides the basis for testing the web application. To know more about it and more about web security, kindly visit -

Learn OWASP and Web Application Security

If you liked it please leave some likes to show your support. Also, leave your responses below and reach out to me if you face any issues.

Follow me on Twitter | Check out my LinkedIn | See my GitHub

Kevin Cunningham's photo

Really helpful and in depth article - thanks for writing!

Jay Desai's photo

Thank you Kevin 😃

Murewa Ashiru's photo

Awesome article. Bookmarked