Node.js Security

Everyone knows how security is very important to our application. So i have put together this checklist to help you guide through the must have security checks before your application is enabled to thousands of users.

Use TLS ( Transport Layer Security)

If you transmits sensitive data, use Transport Layer Security (TLS) to secure the connection and the data. TLS encrypts data before it is sent from the client to the server, thus preventing some common (and easy) hacks.

Disable X-Powered-By header:

If you don’t want to use Helmet, then at least disable the X-Powered-By header. Attackers can use this header to detect apps running Express and then launch specifically-targeted attacks and it is enabled by default.


session cookie name (Use securely):

Don’t use the default session cookie name. Because default session cookie name can open your app to attacks. To avoid this attack, use generic session cookie name.

For example:

var session = require('express-session');
app.set('trust proxy', 1); // trust first proxy
  secret: 's3Cur3',
  name: 'sessionId'

cookie security options:

Set the following cookie options to enhance security:

secure      – This attribute tells that the browser only sends the cookie over HTTPS.
httpOnly  – this attribute is used to help prevent attacks such as cross-site scripting, since it does not allow the cookie to be accessed via JavaScript.
domain    – this attribute is used to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
path           – it indicates the path of the cookie; this attribute is used to compare against the request path. If this and domain match, then send the cookie in the request.
expires     – use to set expiration date for persistent cookies.

Example: using cookie-session middleware:

var session = require('cookie-session')
var express = require('express')
var app = express()

var expiryDate = new Date( + 60 * 60 * 1000)
  name: 'session',
  keys: ['key1', 'key2'],
  cookie: {
    secure: true,
    httpOnly: true,
    domain: '',
    path: 'user/list',
    expires: expiryDate


Helmet is actually a collection of nine smaller middleware functions that set security-related HTTP headers. It can help protect your app from some known web vulnerabilities by setting HTTP headers appropriately.

sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
Removes the X-Powered-By header. Because attackers can use this header to detect apps running in Express.
Adds Public Key Pinning headers to prevent man-in-the-middle attacks with forged certificates.
sets Strict-Transport-Security header that enforces secure (HTTP over SSL/TLS) connections to the server.
sets X-Download-Options for IE8+.
sets Cache-Control and Pragma headers to disable client-side caching.
sets X-Content-Type-Options to prevent browsers from MIME-sniffing a response away from the declared content-type.
sets the X-Frame-Options header to provide clickjacking protection.
sets X-XSS-Protection to enable the Cross-site scripting (XSS) filter in most recent web browsers.

Don’t use deprecated versions of Express:

Please use latest express version(4.x). Because lower version no longer maintained. So Security and performance issues in these versions won’t be fixed.
If you haven’t moved to version 4, follow the migration guide.


Use csurf middleware to protect against cross-site request forgery (CSRF).

I think this may helpful to you. Thank you.

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin
Share On Pinterest

Be the first to comment

Leave a Reply

Your email address will not be published.