Presentation is loading. Please wait.

Presentation is loading. Please wait.

NodeJS Security Using PassportJS and HelmetJS:

Published byClarence Phelps Modified over 6 years ago

Similar presentations

Presentation on theme: "NodeJS Security Using PassportJS and HelmetJS:"— Presentation transcript:

1 NodeJS Security Using PassportJS and HelmetJS:
Securing backend routes and preventing XSS attacks

2 Preface: What is Middleware?

3 PassportJS Passport is Express middleware for Authentication
Authentication vs Authorization Authentication: Do the credentials match what the user has provided? Authorization Can this Authenticated user access this resource? Provides multiple Authentication “Strategies” Social Media Authentication (e.g. Facebook, Google, etc.) Oauth support Local Strategy PassportJS is used in conjunction with a session library to store the Authenticated user which I will cover later For the purposes of this tutorial I am going to cover Local Strategy

4 Local Strategy Local Strategy assumes that you have some method internal to the application to verify the users. E.g. User credentials stored in a DB <Code Review>

5 Session Storage Once Authenticated, the user will be stored into the session Session data, is data relating to your logged in user such as id, username, role, etc. Either the data itself or a corresponding ID is stored in a cookie Two library options: Express-session The standard Node library to be used for Storing Session data Can stores data server side in memory (Not to be used in production) Cookie-session Security concerns (To be addressed) Cookie Size constraints: 4096 bytes

6 Overview: HTTPS

7 Oveview: Man in the Middle

8 Cookie Session Example
Security Concern Mitigation Man in the middle attacks “secure: true” Cookie will only be transmitted via HTTPS connection Cross site scripting attacks (XSS) “httpOnly: true” Cookie data will not be accessible by client side javascript Bluemix Specific concerns Bluemix offers SSL Termination at the Datapower layer of Bluemix, therefore any traffic making it’s way to your application is technically HTTP “secureProxy: true” and app.set('trust proxy', 1) to signal to cookie-session the application is actually getting HTTPS traffic Datapower when forwarding traffic to your application will add the header “$wsis” which will be false if the request used HTTP. Use this to redirect traffic to use HTTPS. <Demo>

9 Helmetjs Helmetjs provides a variety of methods to add security to your application Enable “frameguard” to prevent clickjacking attacks Turning on “No sniff” which can prevent issues caused by browsers MIME Content sniffing The most important aspect CSPs

10 Content Security Policies (CSPs)
Added layer of security against XSS and data injection attacks Allows you to: Restrict domain of scripts being executed on the site. Restrict inline javascript or eval functions from being executed. According to Github (Paraphrasing) “Our ever evolving use of Content Security Policy (CSP), is our single most effective mitigation strategy against Content Injection attacks such as XSS.” Source: CSP’s work via whitelisting allowed domains / code execution methods <Demo>

11

12 App Demo https://securitylunchandlearn.mybluemix.net/login
<Code Review>

Download ppt "NodeJS Security Using PassportJS and HelmetJS:"

Similar presentations

Attie Naude 14 May 2013 Windows Azure Mobile Services.

Attie Naude 14 May 2013 Windows Azure Mobile Services.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Putting the Network to Work

Putting the Network to Work
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
FORESEC Academy FORESEC Academy Security Essentials (II)

FORESEC Academy FORESEC Academy Security Essentials (II)
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.

1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.

Similar presentations

Ads by Google