Contents

• Tools
  • Web Framework Hardening
  • Static Code Analysis
  • Dynamic Application Security Testing
  • Input/Output Validation
  • Secure Composition
  • CSRF
  • Vulnerabilities and Security Advisories
  • Security Hardening
• Security Incidents
• Educational
  • Hacking Playground
  • Articles
  • Research Papers
  • Books
  • Roadmaps
• Companies

Tools

Web Framework Hardening

• Helmet - Helmet helps you secure your Express apps by setting various HTTP headers.
• koa-helmet - koa-helmet helps you secure your Koa apps by setting various HTTP headers.
• blankie - CSP plugin for hapi.
• fastify-helmet - fastify-helmet helps you secure your fastify apps by setting important secutiry headers.
• nuxt-security - Security Module for Nuxt based on OWASP Top 10 and Helmet.

Static Code Analysis

• eslint-plugin-security - ESLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
• tslint-plugin-security - TSLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
• safe-regex - detect potentially catastrophic exponential-time regular expressions by limiting the star height to 1.
• vuln-regex-detector - This module lets you check a regex for vulnerability. In JavaScript, regular expressions (regexes) can be "vulnerable": susceptible to catastrophic backtracking. If your application is used on the client side, this can be a performance issue. On the server side, this can expose you to Regular Expression Denial of Service (REDOS).
• git-secrets - Prevents you from committing secrets and credentials into git repositories.
• DevSkim - DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities. Also has support for CLI so it can be integrated into CI/CD pipeline.
• ban-sensitive-files - Checks filenames to be committed against a library of filename rules to prevent storing sensitive files in Git. Checks some files for sensitive contents (for example authToken inside .npmrc file).
• NodeJSScan - A static security code scanner for Node.js applications. Including neat UI that can point where the issue is and how to fix it.
• Nsecure - Node.js CLI that allow you to deeply analyze the dependency tree of a given npm package or a directory.
• Trust But Verify - TBV compares an npm package with its source repository to ensure the resulting artifact is the same.
• lockfile-lint - lint lockfiles for improved security and trust policies to keep clean from malicious package injection and other insecure configurations.
• pkgsign - A CLI tool for signing and verifying npm and yarn packages.
• semgrep - Open-source, offline, easy-to-customize static analysis for many languages. Some others on this list (NodeJSScan) use semgrep as their engine.
• npm-scan - An extensible, heuristic-based vulnerability scanning tool for installed npm packages.
• js-x-ray - JavaScript and Node.js SAST scanner capable of detecting various well-known malicious code patterns (Unsafe import, Unsafe stmt, Unsafe RegEx, encoded literals, minified and obfuscated codes).
• cspscanner - CSP Scanner helps developers and security experts to easily inspect and evaluate a sites Content Security (CSP).
• eslint-plugin-anti-trojan-source - ESLint plugin to detect and prevent Trojan Source attacks from entering your codebase.
• sdc-check - Small tool to inform you about potential risks in your project dependencies list
• fix-lockfile-integrity - A CLI tool to fix weak integrity hash (sha1) to a more secure integrity hash (sha512) in your npm lockfile.

Dynamic Application Security Testing

• PurpleTeam - A security regression testing SaaS and CLI, perfect for inserting into your build pipelines. You dont need to write any tests yourself. purpleteam is smart enough to know how to test, you just need to provide a Job file which tells purpleteam what you want tested.

Input Validation & Output Encoding

• node-esapi - node-esapi is a minimal port of the ESAPI4JS (Enterprise Security API for JavaScript) encoder.
• escape-html - Escape string for use in HTML.
• js-string-escape - Escape any string to be a valid JavaScript string literal between double quotes or single quotes.
• validator - An npm library of string validators and sanitizers.
• xss-filters - Just sufficient output filtering to prevent XSS!
• DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
• envalid - Envalid is a small library for validating and accessing environment variables in Node.js.

Secure Composition

• pug-plugin-trusted-types - Pug template plugin makes it easy to securely compose HTML from untrusted inputs and provides CSP & CSRF automagic.
• safesql - A tagged template (mysql`...`) that understands Postgres's & MySQL's query grammar to prevent SQL injection.
• sh-template-tag - A tagged template (sh`...`) that understands Bash syntax so prevents shell injection.

CSRF

• csurf - Node.js CSRF protection middleware.
• crumb - CSRF crumb generation and validation for hapi.
• fastify-csrf - A plugin for adding CSRF protection to fastify.

Vulnerabilities and Security Advisories

• npq - Safely install packages with npm or yarn by auditing them as part of your install process.
• snyk - Snyk helps you find, fix and monitor known vulnerabilities in Node.js npm, Ruby and Java dependencies, both on an ad hoc basis and as part of your CI (Build) system.
• node-release-lines - Introspection API for Node.js release metadata. Provides information about release lines, their relative status along with details of each release.
• auditjs - Audits an NPM package.json file to identify known vulnerabilities using the OSSIndex.
• npm-audit - Runs a security audit based on your package.json using npm.
• npm-audit-resolver - Manage npm-audit results, including options to ignore specific issues in clear and auditable way.
• gammaray - Runs a security audit based on your package.json using the Node.js Security Working Group vulnerability data.
• patch-package - Allows app authors to create fixes for npm dependencies (in node_modules) without forking or waiting for merged PRs, by creating and applying patches.
• check-my-headers - Fast and simple way to check any HTTP Headers.
• is-website-vulnerable - finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.
• joi-security - Detect security flaws in Joi validation schemas.
• confused - Tool to check for dependency confusion vulnerabilities in multiple package management systems. See Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies for reference on the reasoning for this tool.

Security Hardening

• hijagger - Checks all maintainers of all npm and PyPI packages for hijackable packages through domain re-registration.
• snync - Mitigate security concerns of Dependency Confusion supply chain security risks.
• NopPP - No Prototype Pollution - Tiny helper to protect against Prototype Pollution vulnerabilities in your application regardless if they introduced in your own code or in 3rd-party code.
• anti-trojan-source - Detect trojan source attacks that employ unicode bidi attacks to inject malicious code.
• express-limiter - Rate limiting middleware for Express applications built on redis.
• limits - Simple express/connect middleware to set limit to upload size, set request timeout etc.
• rate-limiter-flexible - Fast, flexible and friendly rate limiter by key and protection from DDoS and brute force attacks in process Memory, Cluster, Redis, MongoDb, MySQL, PostgreSQL at any scale. Express and Koa examples included.
• tor-detect-middleware Tor detect middleware for express
• express-enforces-ssl Enforces SSL for Express based Node.js projects. It is however highly advised that you handle SSL and global HTTP rules in a front proxy.
• bourne JSON.parse() drop-in replacement with prototype poisoning protection.
• fastify-rate-limit A low overhead rate limiter for your routes.
• secure-json-parse JSON.parse() drop-in replacement with prototype poisoning protection.
• express-brute A brute-force protection middleware for express routes that rate-limits incoming requests, increasing the delay with each request in a fibonacci-like sequence.
• allowed-scripts Execute allowed npm install lifecycle scripts.

Security Incidents

Protestware supply chain security issues

The following is a list of known protestware spanning across other ecosystems too:

• PyPI package author of atomicwrites deletes his own code
• left-pad
• event-source-polyfill, Mariusz Nowak and their es5-ext, Evan Jacobs and their styled-components, node-ipc, peacenotwar, nestjs-pino - all with regards to the Russian-Ukraine crisis.
• The Open Souce Peace organization maintains a list of identified protestware incidents.

Articles covering the topics around protestware are:

• 2022's Techcrunch protestware review
• 2022's Snyk protestware types

npm and JavsScript specific security incidents and supply chain security issues

Collection of security incidents that happened in the Node.js, JavaScript and npm related communities with supporting articles:

Follow-up notes:

• A resource for malicious incidents is BadJS - a repository of malicious JavaScript that has been found in websites, extensions, npm packages, and anywhere else JavaScript lives.
• npm zoo is an archive keeping track of the original malicious packages source code for educational purposes.

Educational

Hacking Playground

• OWASP NodeGoat - The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
• OWASP Juice Shop - The OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.
• DomGoat - Client XSS happens when untrusted data from sources ends up in sinks. Information and excercises on different sources, different sinks and example of XSS occuring due to them in the menu on the left-hand side.

Articles

• A Roadmap for Node.js Security (original domain https://nodesecroadmap.fyi/ not available. See #42)
• 10 npm security best practices
• OWASP Cheat Sheet Series - Node.js Security Cheat Sheet
• What is a backdoor? Lets build one with Node.js
• The Anatomy of a Malicious Package
• Why npm lockfiles can be a security blindspot for injecting malicious modules
• GitHub Actions to securely publish npm packages
• Top 11 Node.js security best practices | Sqreen.com
• A Tale of (prototype) Poisoning

Research Papers

• Deep dive into Visual Studio Code extension security vulnerabilities

Books

• Secure Your Node.js Web Application: Keep Attackers Out and Users Happy by Karl Duuna, 2016
• Essential Node.js Security by Liran Tal, 2017 - Hands-on and abundant with source code for a practical guide to Securing Node.js web applications.
• Securing Node JS Apps by Ben Edmunds, 2016 - Learn the security basics that a senior developer usually acquires over years of experience, all condensed down into one quick and easy handbook.
• Web Developer Security Toolbox - Bundled Node.js and Web Security Books.
• Thomas Gentilhomme book: Become a Node.js Developer

Roadmaps

• Node.js Developer Roadmap

Companies

• Snyk - A developer-first solution that automates finding & fixing vulnerabilities in your dependencies.
• Sqreen - Automated security for your web apps - real time application security protection.
• NodeSource - Mission-critical Node.js applications. Provides N|Solid and Node Certified Modules.
• GuardRails - A GitHub App that gives you instant security feedback in your Pull Requests.
• NodeSecure - An organization of developers building free and open source JavaScript/Node.js security tools.

Contributing

Found an awesome project, package, article, other type of resources related to Node.js Security? Send me a pull request! Just follow the guidelines. Thank you!

say hi on Twitter

License