What Is Secure By Design?
15 June 2019
What is Secure by Design? 🤔🛡️
It’s a software development best practice, where the software has been designed from the ground up to be secure.
A good developer must acknowledge that no code is perfect, and vulnerabilities can occur in your code or a third-party library and minimize the risk of such vulnerabilities. I want to share practical tips how to make our JavaScript apps more secure.
-
Always validate user input and avoid writing your custom validation library. A well-tested and actively maintained validation routine, such as Validator.js, should be used instead.
-
Always sanitize user input. Sanitization refers to processing submitted data to ensure that it is valid and safe. Good news that Validator.js supports sanitization.
-
If you want to show any user-provided data on your web page, then you must filter the data before displaying it. Otherwise, a user can inject malicious code (it’s called XSS attack). The library xss-filters does the job for you.
-
If you allow uploading files, then limit what users are allowed to upload. If a user can upload an avatar, then there is no point in accepting music or large files. If you use Express.js, then Multer library can help you handle uploads securely.
-
Add rate-limiting, because your application could be subject to an attack resulting in a denial of service where real users receive a degraded or unavailable service. A good starting point is express-rate-limiter.
-
If you create authentication, don’t reinvent the wheel. Rely on existing and battle-proven tech, but first understand how it works. Consider using Passport.js for authenticating your apps.
-
Pay attention to encrypting sensitive data, such as passwords. Never store passwords in plain text. Besides that, remember to use salt. Without it, a hacker can use so-called Rainbow tables to reverse the passwords. Functions such as Bcrypt allows adding salt to your passwords.
-
Hide error details from clients, otherwise sensitive application details such as server file paths, third-party modules in use, and other internals could be leaked from information found in a stack trace. The best tool to prevent this from happening is a code review. 👀
-
Use code Linters not only for checking your code style but also for finding security issues early in development. I use a special plugin for ESLint.
-
Scan your dependencies for vulnerabilities, upgrade old dependencies and replace vulnerable ones with safer alternatives. You can use a free tool Snyk to scan your dependencies.
Congratulations! You’ve just become a better developer.
Want to learn more? Here is a nice article.
Want a deep-dive into secure coding? Here is a great free e-book.