Last modified: April 26, 2017
Express is one of the most popular web frameworks for Node.js. It's extremely lightweight and allows developers to quickly write web applications and APIs. Although it requires minimal configuration and is easy for even novice developers to implement, Express does have its security vulnerabilities. In this article, we discuss such vulnerabilities and the steps you can take to keep your Express app secure.
Only use Express version 4.0 or later. Prior versions have been deprecated and are no longer actively maintained by the Express team. More recent versions of Express (4.14) have built in protection against Cross-Site Request Forgery (CSRF). By having the latest stable version of Express, you ensure you are working with the team's latest and greatest.
Helmet is a simple node module that makes your app inherently more secure. It's extremely easy to implement. For an example of implementing helmet, see below
var helmet = require('helmet')
Notice how all we are doing is bootstrapping our Express instance with Helmet. Helmet addresses the vast majority of vulnerabilities seen with network communication and HTTP. Specifically, Helmet addresses the following security related issues:
While Express configures a lot for you, it doesn't come preinstalled with a valid SSL certificate. You must acquire your own SSL certificate and configure your server to use SSL/TLS. For more on configuring your app to use SSL/TLS, see our article on free SSL with Let's Encrypt.
When starting out with Express, many developers are quick to use express-session or cookie-session for session management. While these provide quick solutions for saving session data etc., they aren't inherently secure and meant for production. For example, the express-session middleware uses MemoryStore as a default server-side session storage. This doesn't scale well and leaks memory by default. It will depend on what tool you use for cookie sessions but be sure to investigate the appropriate configuration necessary to make your session management middleware production ready.
If your using Express then you are probably using other npm modules with your Node.js project. While npm is a great package manager, it does have its security vulnerabilities. It's important to make sure that other dependencies you use with Express are secure themselves. As best practice, use only versions of dependencies that don't have known vulnerabilities. You can also use things like nsp to check your dependency tree for any potential issues.
Keeping your Express app secure is almost as easy as using Express itself. While things like Helmet allow you to quickly bootstrap your Express instance with common preventative measures, using things like SSL/TLS have become a standard part of web hosting anyway. Keeping dependencies updated and using the latest stable version of Express will allow you to protect yourself against vulnerabilities while still benefiting from the lightweight nature of Express.