Is My Express App Secure?

Express is one of the most popular web frameworks for Node.js. It's extremely lightweight and allows developers to quickly write web applications and APIs. Although it requires minimal configuration and is easy for even novice developers to implement, Express does have its security vulnerabilities. In this article, we discuss such vulnerabilities and the steps you can take to keep your Express app secure.

Use the latest version of Express

Only use Express version 4.0 or later. Prior versions have been deprecated and are no longer actively maintained by the Express team. More recent versions of Express (4.14) have built in protection against Cross-Site Request Forgery (CSRF). By having the latest stable version of Express, you ensure you are working with the team's latest and greatest.

Use Helmet with Express

Helmet is a simple node module that makes your app inherently more secure. It's extremely easy to implement. For an example of implementing helmet, see below

var helmet = require('helmet')
app.use(helmet());

Notice how all we are doing is bootstrapping our Express instance with Helmet. Helmet addresses the vast majority of vulnerabilities seen with network communication and HTTP. Specifically, Helmet addresses the following security related issues:

  • Cross-site scripting(XSS)
  • MIME-sniffing
  • Content-Security-Policy
  • X-Powered-By
  • Cache-Control
  • Public Key Pinning

Use SSL/TLS

While Express configures a lot for you, it doesn't come preinstalled with a valid SSL certificate. You must acquire your own SSL certificate and configure your server to use SSL/TLS. For more on configuring your app to use SSL/TLS, see our article on free SSL with Let's Encrypt.

Use Cookies Correctly

When starting out with Express, many developers are quick to use express-session or cookie-session for session management. While these provide quick solutions for saving session data etc., they aren't inherently secure and meant for production. For example, the express-session middleware uses MemoryStore as a default server-side session storage. This doesn't scale well and leaks memory by default. It will depend on what tool you use for cookie sessions but be sure to investigate the appropriate configuration necessary to make your session management middleware production ready.

Express Security - Other Considerations

If your using Express then you are probably using other npm modules with your Node.js project. While npm is a great package manager, it does have its security vulnerabilities. It's important to make sure that other dependencies you use with Express are secure themselves. As best practice, use only versions of dependencies that don't have known vulnerabilities. You can also use things like nsp to check your dependency tree for any potential issues.

Conclusion

Keeping your Express app secure is almost as easy as using Express itself. While things like Helmet allow you to quickly bootstrap your Express instance with common preventative measures, using things like SSL/TLS have become a standard part of web hosting anyway. Keeping dependencies updated and using the latest stable version of Express will allow you to protect yourself against vulnerabilities while still benefiting from the lightweight nature of Express.

Your thoughts?