NodeJS Security Using PassportJS and HelmetJS:

Slides:



Advertisements
Similar presentations
Attie Naude 14 May 2013 Windows Azure Mobile Services.
Advertisements

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
FI-WARE Testbed Access Control temporary solution.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Security Issues and Challenges in Cloud Computing
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Putting the Network to Work
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
MongoDB Sharding and its Threats
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
FORESEC Academy FORESEC Academy Security Essentials (II)
Session 11: Security with ASP.NET
1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
Krishna Mohan Koyya Glarimy Technology Services
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Ram Santhanam Application Level Attacks - Session Hijacking & Defences
Module 11: Securing a Microsoft ASP.NET Web Application.
Crash Course in Web Hacking
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Securing Angular Apps Brian Noyes
Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.
ArcGIS for Server Security: Advanced
Dr. Michael B. Jones Identity Standards Architect at Microsoft
Building Secure ColdFusion Applications
Fortinet NSE8 Exam Do You Want To Pass In First Attempt.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Your Web Application in Azure with a WAF
World Wide Web policy.
Node.js Express Web Applications
API Security Auditing Be Aware,Be Safe
Node.js Express Web Services
WEB-API & MVC5 - Identity & Security
19.10 Using Cookies A cookie is a piece of information that’s stored by a server in a text file on a client’s computer to maintain information about.
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Cross-Site Forgery
Cross-Site Request Forgeries: Exploitation and Prevention
NSE4-5.4 Dumps
Protect crypto exchange website from hackers
BY: SHIVI AGRAWAL ( ) CSE-(6)C
Oracle E-Business Suite cybersecurity risks and mitigation
CSC 495/583 Topics of Software Security Intro to Web Security
Security: Authentication & Authorization
Active Man in the Middle Attacks
Designing IIS Security (IIS – Internet Information Service)
Exploring DOM-Based Cross Site Attacks
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

NodeJS Security Using PassportJS and HelmetJS: Securing backend routes and preventing XSS attacks

Preface: What is Middleware?

PassportJS Passport is Express middleware for Authentication Authentication vs Authorization Authentication: Do the credentials match what the user has provided? Authorization Can this Authenticated user access this resource? Provides multiple Authentication “Strategies” Social Media Authentication (e.g. Facebook, Google, etc.) Oauth support Local Strategy PassportJS is used in conjunction with a session library to store the Authenticated user which I will cover later For the purposes of this tutorial I am going to cover Local Strategy

Local Strategy Local Strategy assumes that you have some method internal to the application to verify the users. E.g. User credentials stored in a DB <Code Review>

Session Storage Once Authenticated, the user will be stored into the session Session data, is data relating to your logged in user such as id, username, role, etc. Either the data itself or a corresponding ID is stored in a cookie Two library options: Express-session The standard Node library to be used for Storing Session data Can stores data server side in memory (Not to be used in production) Cookie-session Security concerns (To be addressed) Cookie Size constraints: 4096 bytes

Overview: HTTPS

Oveview: Man in the Middle

Cookie Session Example Security Concern Mitigation Man in the middle attacks “secure: true” Cookie will only be transmitted via HTTPS connection Cross site scripting attacks (XSS) “httpOnly: true” Cookie data will not be accessible by client side javascript Bluemix Specific concerns Bluemix offers SSL Termination at the Datapower layer of Bluemix, therefore any traffic making it’s way to your application is technically HTTP “secureProxy: true” and app.set('trust proxy', 1) to signal to cookie-session the application is actually getting HTTPS traffic Datapower when forwarding traffic to your application will add the header “$wsis” which will be false if the request used HTTP. Use this to redirect traffic to use HTTPS. <Demo>

Helmetjs Helmetjs provides a variety of methods to add security to your application Enable “frameguard” to prevent clickjacking attacks Turning on “No sniff” which can prevent issues caused by browsers MIME Content sniffing The most important aspect CSPs

Content Security Policies (CSPs) Added layer of security against XSS and data injection attacks Allows you to: Restrict domain of scripts being executed on the site. Restrict inline javascript or eval functions from being executed. According to Github (Paraphrasing) “Our ever evolving use of Content Security Policy (CSP), is our single most effective mitigation strategy against Content Injection attacks such as XSS.” Source: http://githubengineering.com/githubs-csp-journey/ CSP’s work via whitelisting allowed domains / code execution methods <Demo>

App Demo https://securitylunchandlearn.mybluemix.net/login <Code Review>

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.