Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>I wrote a blog post that gives a great starting point on <a href="https://blog.liftsecurity.io/2012/12/07/writing-secure-express-js-apps">Writing Secure Express.js Apps</a>. It covers a few other things beyond csrf and helmet as was mentioned by zeMirco.</p> <p>The other thing is you can't compare express.js to rails. They are apples and oranges. For example, there is no ORM that is bundled with Express, that implementation or use of a third party module is up to you. </p> <p>I'll try and give a breakdown of each of your concerns.</p> <pre><code>-Injection Vulnerabilities (JavaScript, SQL, Mongo, HTML) </code></pre> <p>Again, these are things not built into express. The closest thing would be XSS worries over injection in templates. Jade or EJS templates that are commonly used with express output encode &lt; > " ' and &amp; by default, but remember there are other contexts like user input into JavaScript or CSS that you would need to worry about.</p> <pre><code>-Session fixation and hijacking </code></pre> <p>Again see the blog post above, but Express is based on and uses most of the <a href="http://www.senchalabs.org/connect/">connect</a> middleware one of these is the session middleware. Biggest thing here is to properly set your cookie flags.</p> <pre><code>-Cross-Site Vulnerabilities (Scripting, Request Forgery) </code></pre> <p>See above. It also comes with express.csrf() middleware. The blog post mentioned shows how to implement it.</p> <pre><code>-Mass Assignment </code></pre> <p>Not an issue with express.js as it has no concepts in which this type of vulnerable would be applicable, however the custom logic you write may be in fact vulnerable to this problem, so again it's a problem of verifying if your code is vulnerable or if the third party module you used is...</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload