Security
Standards
OWASP standards
- [OWASP](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)
- [OWASP PDF 2017](./docs/OWASP-top-10-2017.pdf)
- [OWASP API security 2019](./docs/testing/owasp-api-security-top-10.pdf)
- [OWASP Application security requirements](./docs/testing/OWASPApplicationSecurityVerificationStandard4.0-en.pdf)
- [OWASP Proactive controls](./docs/testing/OWASP_Top_10_Proactive_Controls_V3.pdf)
Tools used by STQC
- AppScan
- Web inspect
- Burp suite (good as per feedback)
Other Tools
- ZAP attack
- Burp Suite
- Nmap
- Sqlmap
- Nessus
- snyk
Code level built-in Security
TS security lint //with GitLab integration
New Man //run postman API from CLI tutorial, also use postman for API docs, check license
Role based API
Allow connections from particular ip Or machines
Check history table exists for important tables
1>
app.use(express.json({ limit: '10kb' })); // Body limit is 10
2>
const limit = rateLimit({ //express-rate-limit
max: 100,// max requests
windowMs: 60 * 60 * 1000, // 1 Hour
message: 'Too many requests' // message to send
});
app.use('/routeName', limit); // Setting limiter on specific route
3>
// Data Sanitization against XSS (xss-clean lib)
app.use(xss());
4>
app.use(helmet()); //special http headers
5> Preventing Brute Force Attacks for APIs (say login) // min 4 times else lock the user for the day & send alerts (after 3 attempts) //add 2 factor authentication also
6> express-mongo-sanitize dependency.
app.use(mongoSanitize());
Ref
- https://nodesecroadmap.fyi/
- https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_security_cheat_sheet.html
Development tips
Content Security Policy Headers – nonce attribute (prevent external script execution)
Trusted type (prevent DOM unsafe code injection)
CrossOriginPolicyOpener (prevent third party pop ups accessing data)
Don’t allow other origin requests (CORS disable)
https://hackernoon.com/10-security-tips-for-frontend-developers-oi4624ld