Home/Blog/Programming/Best practices for securing your Node.js apps
Home/Blog/Programming/Best practices for securing your Node.js apps

Best practices for securing your Node.js apps

12 min read
Mar 12, 2025
content
Understanding common security threats
1. Cross-site scripting (XSS)
How to prevent XSS attacks
2. Cross-site request forgery (CSRF)
How to prevent CSRF attacks
3. SQL injections
How to prevent SQL injection attacks
4. Denial-of-service (DoS)
How to prevent DoS attacks
5. Brute-force attacks
How to prevent brute force attacks
6. Dependency vulnerabilities
How to prevent dependency vulnerabilities
Securing HTTP headers
Implementing secure password storage
Hashing vs. encryption
Hashing passwords
Verifying passwords
Protect against race conditions
How to prevent race conditions
Conclusion

Become a Software Engineer in Months, Not Years

From your first line of code, to your first day on the job — Educative has you covered. Join 2M+ developers learning in-demand programming skills.

Key takeaways:

  • Always treat user input as untrusted. To prevent attacks like XSS and SQL injections, ensure user input is validated and sanitized before performing any operation.

  • To protect your application from CSRF and brute force attacks, use CSRF tokens, set SameSite attributes on cookies, and implement multi-factor authentication (MFA).

  • Regularly update your npm packages and dependencies to patch known vulnerabilities. Tools like npm outdated and npm audit allow you to identify and fix security issues.

  • Store passwords securely using strong hashing algorithms like bcrypt and proper salting techniques. Never store passwords in plain text or use reversible encryption methods.

  • Be aware of the asynchronous nature of Node.js and prevent race conditions by using proper synchronization techniques, database transactions, and mutexes.

In January 2018, a ride-hailing service experienced a significant data breach, exposing the personal and financial information of 14 million users. This incident emphasized how even well-designed systems can face security challenges without proper safeguards.

Node.js is an open-source, cross-platform JavaScript runtime environment that executes JavaScript code outside a web browser. Due to its lightweight runtime, it is popular among beginners and is used by many big companies, such as Netflix and Uber.

While Node.js is secure, applications built with it can be vulnerable to attacks if proper security measures are not in place. With cyber threats becoming increasingly sophisticated, it’s crucial to implement strict security measures to protect your applications and safeguard your users’ sensitive data.

This blog will explore common attacks targeting Node.js applications and provide steps you can take before and during the development process to ensure your application’s security.

Learn Node.js: The Complete Course for Beginners

Cover
Learn Node.js: The Complete Course for Beginners

Node.js is an open-source, cross-platform, JavaScript runtime environment that executes JavaScript code outside of a web browser. This course is your guide for learning the fundamentals of Node.js. In this course, you'll start by understanding the inner workings of Node.js. More specifically, you’ll explore its features, how event loops work, and how multithreading works. You’ll then move on to the fundamentals of Node.js like file systems, global objects, and the Buffer class. In the latter half of the course, you’ll explore more advanced concepts like modules, events, and packages. At the end of this course, you will get hands-on with Node.js and create your own food delivery web application. By the end of this course, you will have a new, in-demand skill to put on your resume and a cool project to add to your portfolio.

7hrs
Beginner
37 Playgrounds
4 Quizzes

Common security threats
Common security threats

Understanding common security threats#

Before you can defend your Node.js application, it’s important to understand how attackers might try to exploit it. Here are some common security threats:

1. Cross-site scripting (XSS)#

XSS attacks happen when attackers inject malicious scripts into web pages that other users subsequently access. This can lead to data theft, session hijacking, and website defacement. XSS often exploits input forms that are not properly sanitized or encoded.

Suppose you have a comment section on your website where users can post comments. The server-side code takes the user’s input and renders it on the page without sanitization.

// Server-side code
app.post('/comment', (req, res) => {
  let comment = req.body.comment;
  // Save comment to database
  res.redirect('/comments');
});
// Client-side code to display comments
comments.forEach(comment => {
  document.write(`<p>${comment}</p>`);
});

Consider this attack scenario where an attacker adds this comment:

<script>alert('Your website is compromised!');</script>

When other users visit the comments page, the malicious script executes in their browsers, displaying an alert. In a more severe attack, the script could steal cookies or perform actions on behalf of the user.

How to prevent XSS attacks#

  • Sanitize user input: To ensure security, rigorously sanitize and validate user inputs. Remove or escape potentially malicious code before processing the data, and enforce strict validation rules as early as possible when the input is first received.

  • Encode data on the output: Always encode the data generated by a user before rendering it on web pages. For example, convert < to &lt; and > to &gt;.

Let’s examine an example of modifying the code above to prevent XSS attacks on the server and client sides.

// Server-side code
app.post('/comment', (req, res) => {
  let comment = req.body.comment;
  
  // Sanitize the comment to remove any malicious code
  comment = comment
    .replace(/&/g, '&amp;')  // Escape &
    .replace(/</g, '&lt;')   // Escape <
    .replace(/>/g, '&gt;')   // Escape >
    .replace(/"/g, '&quot;') // Escape "
    .replace(/'/g, '&#39;'); // Escape '
  
  // Save comment to database
  
  res.redirect('/comments');
});
// Client-side code to display comments
comments.forEach(comment => {
  const p = document.createElement('p');
  // Use textContent to prevent HTML parsing
  p.textContent = comment;
  commentsContainer.appendChild(p);
});
Modified code with manual XSS prevention

In the code above, we can use third-party libraries to sanitize inputs or manually sanitize user inputs by escaping special characters to ensure safe rendering on the server side.

On the client side, instead of using document.write, which can execute scripts, we’ll use textContent to safely render user comments as plain text.

2. Cross-site request forgery (CSRF)#

CSRF attacks manipulate authenticated users into executing unintended actions within a web application. Attackers can craft malicious requests that can perform actions like changing account details or initiating transactions without the user’s consent. The user’s browser executes these requests. Hackers can send users links through chat or email, asking them to change email addresses or transfer funds.

Imagine a banking application where users can transfer funds by submitting a POST request to the /transfer route.

<!-- Form on the banking site -->
<form action="/transfer" method="POST">
  <input type="hidden" name="amount" value="1000">
  <button type="submit">Transfer $1000</button>
</form>

Consider this attack scenario where an attacker crafts a malicious website with the following code. When a browser encounters an <img> tag, an automated HTTP GET request is sent to the specified src URL to fetch the image. The style="display:none;" attribute ensures the malicious request remains hidden from the user so they won’t notice anything suspicious on the page.

<!-- Malicious website -->
<img src="https://educative.io/transfer?amount=1000" style="display:none;">

When logged-in users visit the malicious site, their browser sends a request to the /transfer endpoint, initiating a fund transfer without their knowledge.

How to prevent CSRF attacks#

  • CSRF tokens: Implement CSRF tokens in your forms and API requests. A CSRF token is a random value generated on the server and verified with each request.

  • Set SameSite cookies: Configure cookies with the SameSite attribute to prevent them from being sent with cross-site requests.

  • Validate HTTP headers: Check the Origin or Referer headers to ensure requests originate from your domain. Reject requests with missing or mismatched headers.

3. SQL injections#

SQL injection attacks happen when attackers insert malicious SQL statements into input fields, manipulating database queries to access or modify data without authorization.

Suppose you have a login form where users enter their username and password.

app.post('/login', (req, res) => {
  const username = req.body.username;
  const password = req.body.password;
  const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;
  db.query(query, (err, result) => {
    if (result.length > 0) {
      // Successful login
    } else {
      // Invalid credentials
    }
  });
});

Consider this attack scenario where an attacker enters the following input:

  • Username: admin' --

  • Password: pass123

The final SQL query is as follows:

SELECT * FROM users WHERE username = 'admin' --' AND password = 'pass123'

The -- is a SQL comment operator, so everything after it is ignored. The query effectively becomes:

SELECT * FROM users WHERE username = 'admin'

This might allow the attacker to log in as the admin without knowing the password.

Let’s consider a more dangerous injection, where an attacker could attempt to dump the entire user table:

  • Username: ' OR '1'='1' --

  • Password: pass123

The final SQL query is as follows:

SELECT * FROM users WHERE username = '' OR '1'='1' --' AND password = 'pass123'

As we know, '1'='1' is always true. Thus, the query will return all users from the table.

How to prevent SQL injection attacks#

  • Use parameterized statements: Parameterized statements ensure that user inputs are treated as data and not executable SQL code. They allow your database to distinguish between data and code, regardless of the input. For example, if a user enters 100 OR 1=1 as their userID, a parameterized statement will not interpret OR 1=1 as SQL logic. Instead, it will search for a userID that matches the string 100 OR 1=1.

  • Apply input validations: Input validations add an extra layer of protection. When writing your validation logic, you can compare an input to a list of allowed options. Input validation protects you from XSS attacks, DoS, and other injection attacks.

  • Use database accounts with the least privileges: Using database accounts with minimum required privileges protects your application from SQL injections. Don’t use admin-level rights database accounts in your Node.js app. Create different users with read-write and read-only permissions. Lastly, use SQL views to limit access to specific table columns or joins.

  • Sanitize input: You need to ensure you get rid of suspicious-looking input. You can do that by checking that fields like email addresses match a regular expression, alphanumeric or numeric fields do not contain special characters, and strip any newline or white space characters.

4. Denial-of-service (DoS)#

DoS attacks aim to make a service unavailable by constantly creating traffic or sending resource-consuming requests, causing slowdowns or crashes. For instance, an attacker might send many requests to your server, exhausting its resources.

How to prevent DoS attacks#

  • Rate limiting: Restrict the number of requests an IP address or user can make within a specified time frame. For example, allow 100 requests per minute per user.

  • Caching using content delivery networks (CDNs): CDNs distribute traffic across multiple servers, absorbing excessive loads. They cache content to reduce the burden on the origin server.

Looking to create a full-stack application with Node.js that is also secure on the backend? Try out this project, Build an Image Sharing App with MERN Stack.

5. Brute-force attacks#

Brute-force attacks involve automated attempts to guess passwords or encryption keys through exhaustive trial and error. They can crack encrypted passwords and PINs. For example, an attacker can use a script to repeatedly attempt to log in to user accounts by trying many password combinations.

How to prevent brute force attacks#

  • Account lockout: Temporarily lock accounts after several failed login attempts (e.g., 5 attempts within 10 minutes). Increase the lockout duration with each failed attempt to slow down brute force attempts.

  • Implement CAPTCHA: Use CAPTCHA challenges to ensure that humans, not automated bots, make login attempts.

  • Multi-factor authentication (MFA): Use MFA where the application requires a second form of authentication, such as OTPs via email, SMS, an authenticator app, or biometric authentication like fingerprints or facial recognition. This adds a layer of security, even if passwords are compromised.

6. Dependency vulnerabilities#

Using third-party packages from npm, Node.js’s default package manager can introduce vulnerabilities, especially if the packages are outdated or malicious. Supply chain attacks exploit these dependencies to compromise applications.

Suppose you use a package that has a known vulnerability allowing remote code execution. An attacker can exploit this vulnerability to execute arbitrary code on your server.

How to prevent dependency vulnerabilities#

  • Regularly update dependencies: Tools like npm outdated and npm audit allow you to identify outdated or vulnerable packages and fix security issues. Regularly update dependencies to ensure you have the latest patches for known security vulnerabilities.

  • Use trusted sources: Only install packages from reputable sources and maintainers.

  • Lock dependencies: Lock files (like package-lock.json or yarn.lock) to ensure consistent dependency versions across environments, minimizing the risk of inadvertently introducing vulnerable versions.

A Guide to Securing Node.js Applications

Cover
A Guide to Securing Node.js Applications

This course is your guide for securing Node.js applications. You'll start by properly sanitizing user input and output, and then move on to some fundamental protocols, such as HTTPS and SHA. Passwords and encryption will be discussed next. More specifically, you will learn about different hashing algorithms and protecting your application from brute force attacks. Following that, you'll explore concepts like authentication, access control, and obfuscation. You will also learn about XSS, CSRF, and other popular hacks near the end of the course. By the end of this course, you will know how to secure a Node.js application, an in-demand skill to put on your resume!

4hrs
Intermediate
20 Playgrounds
4 Quizzes

Securing HTTP headers#

HTTP headers enable the exchange of information between the server and client regarding the connection setup, the requested resource, and the resource provided in response. Ignoring HTTP headers can leak sensitive information.

Express apps, by default, include the X-Powered-By header. This header lets the browser know the server’s version and vendor used. Hackers can cross-reference this with publicly disclosed vulnerabilities, allowing your app to be targeted easily.

One solution is to use Helmet.js. It is a Node.js module that helps secure your app by setting various HTTP headers. Helmet helps hide the X-Powered-By header, thus preventing the disclosure of server information, and sets security headers such as Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, etc.

Implementing secure password storage#

Storing passwords securely is one of the most critical aspects of application security. If user passwords are compromised, it can lead to unauthorized access and data breaches. Storing passwords in plain text is a severe security risk. If your database is compromised, attackers immediately access all user accounts.

Password encryption allows you to convert your passwords into an unreadable message using an encryption key. The encryption key is a mathematical value you and the recipient know.

Hashing vs. encryption#

  • Encryption transforms data into a different format using a key, and the original data can be retrieved using a decryption key. Encryption is reversible, which makes it unsuitable for password storage.

  • Hashing converts data into a fixed-size string of characters, typically a digest that cannot be reversed to obtain the original data. Hashing is a one-way function, making it ideal for password storage.

Hashing is different from encryption because it doesn’t have a decryption key. Hashing should always include salt, a random value added to the password before hashing. Salting passwords adds uniqueness, making it much harder for attackers to use precomputed tables (rainbow tables) to crack the hashes.

Here’s how it works: Suppose the user’s password is Pa55word. When hashed using a secure algorithm like bcrypt, it might look like $2b$10$wqGJ3YQ0yRhv5Tc.s7.Y. When the user logs in, the entered password is hashed again with the same algorithm and compared to the stored hash. If the two hashes match, you are signed in.

Hashing passwords#

For Node.js, you can use the bcrypt package to hash and store passwords. When a user registers or changes their password, you should hash the password before storing it in the database.

const bcrypt = require('bcrypt'); // Import the bcrypt library for hashing passwords
async function hashPassword(plainTextPassword) {
  // Set the number of salt rounds (higher value increases security but takes more time)
  const saltRounds = 12;
  
  // Generate the hashed password using bcrypt
  const hash = await bcrypt.hash(plainTextPassword, saltRounds);
  return hash;
}
// Example plain text password to be hashed
const plainPassword = 'Pa55word';
// Call the hashPassword function with the plain text password
hashPassword(plainPassword)
  .then(hash => {
    // Log the hashed password to the console
    console.log('Hashed password:', hash);
  })
  .catch(err => {
    // Log an error message to the console if hashing fails
    console.error('Error hashing password:', err);
  });
Hashing passwords

In the code above, saltRounds in bcrypt refers to how bcrypt generates a random salt internally and determines the computational cost of the hashing process.

Verifying passwords#

When a user attempts to log in, you need to verify that the supplied password matches the stored hash.

async function comparePassword(plainTextPassword, hash) {
  const match = await bcrypt.compare(plainTextPassword, hash);
  return match;
}
const inputPassword = 'Pa55word';
const storedHash = 'HashFromDatabase';
comparePassword(inputPassword, storedHash)
  .then(match => {
    if (match) {
      // Passwords match, proceed with login
      console.log('Password is valid!');
    } else {
      // Passwords do not match
      console.log('Invalid password.');
    }
  })
  .catch(err => {
    console.error('Error comparing passwords:', err);
  });
Verifying passwords

Try out this project: Build a Music Sharing App with Next.js and the MERN Stack, where we create a music sharing app with Next.js and the MERN stack. Explore seamless uploads, secure downloads, and Cloudinary integration for efficient storage.

Protect against race conditions#

Race conditions occur when multiple processes access a shared resource simultaneously, and one or more want to modify it. This results in an unexpected logical flow. In Node.js applications, race conditions can lead to unexpected behavior, data corruption, and critical security vulnerabilities. Attackers can exploit race conditions to:

  • Bypass security checks: An attacker might gain unauthorized access if authentication or authorization steps are not properly synchronized.

  • Manipulate data: Concurrent operations might allow attackers to interfere with data integrity, such as modifying financial transactions or sensitive information.

Cyber Security Fundamentals

Cover
Cyber Security Fundamentals

Cyber security is the protection of systems, devices, controls, programs, and data from attacks by malicious actors. Every company focuses on cyber security as it is extremely vulnerable and easily breachable these days. Cyber security professionals are in high demand with a promising career outlook. In this Skill Path, you will learn the modern approaches to monitor, detect, and respond to cyber security incidents and how to maintain cyber security. You'll also learn techniques related to patching, software vulnerabilities, cryptography, windows security, and phishing to prevent attacks. You'll go through the protection method using HTTP headers and working knowledge of JWT, OAuth2, and OpenID Connect. By the end, you will have a strong understanding of each of the technologies involved and will be able to apply this knowledge for security purposes.

41hrs
Beginner
47 Playgrounds
82 Quizzes

Consider an application that handles fund transfers between accounts. If two transfer requests are processed simultaneously, both might read the same initial balance before either has updated it. This could result in an overdraft, allowing users to transfer more money than is available.

Due to their asynchronous nature, race conditions are uncommon in JavaScript and, hence, in Node.js. But if they do appear, they can be very difficult to debug, so it’s best to handle them before they happen.

How to prevent race conditions#

  • Use database transactions. Transactions ensure a series of database operations are executed as atomic units. The entire transaction is rolled back if any operation fails, maintaining data integrity.

  • Implement locks or mutexes: Locks prevent multiple processes from accessing a resource simultaneously, ensuring that only one operation can modify the resource.

  • Properly handle asynchronous code: Ensure all asynchronous operations are awaited or properly chained to prevent code from executing out of order.

Become a Node.js Developer

Cover
Become a Node.js Developer

Node.js is a powerful JavaScript runtime designed for building efficient and scalable applications. If you’re not using Node.js yet, you’re missing out on a big chance to improve your career in web development. This Skill Path will guide you through the core concepts, providing a solid foundation. You’ll explore the Node.js API, develop RESTful APIs using Express, and create real-time applications with Socket.IO. By the end, you’ll be equipped with the practical skills needed to confidently implement Node.js in your future projects.

16hrs
Beginner
6 Challenges
28 Quizzes

Conclusion#

Securing your Node.js application is an ongoing process that requires attention at every stage of development. By understanding common threats and implementing the best practices outlined above, you can significantly enhance the security of your applications.

To get hands-on practice with secure Node.js applications, check out the hands-on project Build a Telegram Bot in Node.js for Web Page Change Detection, where you will write a Node.js script to detect website changes and be notified via Telegram.

Frequently Asked Questions

What is XSS, and how can I prevent it in my Node.js application?

Cross-site scripting (XSS) is an attack where attackers inject malicious scripts into web pages viewed by other users, leading to data theft or session hijacking. To prevent XSS in your Node.js application, rigorously sanitize and validate all user inputs and encode output data. Implementing Content Security Policy (CSP) headers can also mitigate the impact of XSS attacks.

What are parameterized statements, and why are they important in preventing SQL injection attacks?

What steps should I take to secure password storage in my Node.js application?

What are the best practices for handling third-party packages in Node.js to ensure security?

Written By:
Hamna Waseem
Join 2.5 million developers at
Explore the catalog

Free Resources

Learn in-demand tech skills in half the time

PRODUCTS

Mock Interview

New

Courses

Skill Paths

Projects

Assessments

Newsletter

TRENDING TOPICS

Learn to Code

Tech Interview Prep

Generative AI

Data Science

Machine Learning

GitHub Students Scholarship

Early Access Courses

Blind 75

Layoffs

Pricing

For Individuals

Try for Free

Gift a Subscription

CONTRIBUTE

Become an Author

Become an Affiliate

Earn Referral Credits

RESOURCES

Blog

Cheatsheets

Webinars

ABOUT US

Our Team

Careers

Hiring

Frequently Asked Questions

Contact Us

Press

LEGAL

Privacy Policy

Cookie Policy

Terms of Service

Business Terms of Service

Data Processing Agreement

INTERVIEW PREP COURSES

Grokking the Modern System Design Interview

Grokking the Product Architecture Design Interview

Grokking the Coding Interview Patterns

Machine Learning System Design

Tiktok Streamline Icon: https://streamlinehq.com

Copyright ©2025 Educative, Inc. All rights reserved.

soc2