password

passwordHash

Gain insights into securing Node.js applications: sanitize inputs, use HTTPS, encryption, explore authentication, access control, and protect against XSS, CSRF, and popular hacks.

Working_SNA_Docker.tar.gz

psql

psql-copy

run_spa

run_spa_node

run_spa_hash

compose

compose-copy

compose-copy-copy

run_spa-copy

app-demo-psql

This course is your guide for securing Node.js applications. You'll start by properly sanitizing user input and output, and then move on to some fundamental protocols, such as HTTPS and SHA. Passwords and encryption will be discussed next. More specifically, you will learn about different hashing algorithms and protecting your application from brute force attacks.

Following that, you'll explore concepts like authentication, access control, and obfuscation. You will also learn about XSS, CSRF, and other popular hacks near the end of the course.

By the end of this course, you will know how to secure a Node.js application, an in-demand skill to put on your resume!

A Guide to Securing Node.js Applications

## What is mass assignment?
Mass assignment is an incredibly useful tool. When used properly, it can speed up development time. But it can cause severe damage if used improperly. This functionality is usually included as part of an Object Relational Mapper (ORM) or Object Document Mapper (ODM). ORMs aren’t as popular in Node as they are in other languages, but they come up occasionally. ODMs are popular if you use MongoDB, CouchDB, or another schema-less document database.

In the examples below, we'll use [Mongoose](http://mongoosejs.com/). Mongoose is a MongoDB object modeling tool for Node.js..

Let's say you have a `User` model that needs to be updated with several changes. You could update each field individually, or you could pass all of the changes from a form and update it in one go.

Your form might look like this:
```
<form action="...">
    <input name="first_name" />
    <input name="last_name" />
    <input name="email" />
</form>
```

Then you have back end code to process and save the form submission. That might look like this:
```
var User = mongoose.model('User');

var liz = new User(req.body);
liz.save();
```

Quick and easy, right? But what if a malicious user modifies the form, giving themselves administrator permissions?

```
<form action="...">
    <input type="text" name="first_name" />
    <input type="text" name="last_name" />
    <input type="text" name="email" />
    <input type="hidden" name="permissions" value="{'admin':'true'}" />
</form>
```

That same code would now change this user's permissions erroneously.

Many developers and sites have fallen victim to this problem. A recent, well-known exploit of this vulnerability occured when a user exposed Ruby on Rails.
* Egor Homakov initially reported to the Rails team that new Rails installs were insecure. His bug report was rejected. 
* The core team thought it was a minor concern that would be easier for new developers to leave enabled by default.  
* Homakov hilariously "hacked" the Rails GitHub account (GitHub is built on Rails) to give himself administrative rights to their repositories.  

Needless to say, this proved his point, and now Rails, and GitHub, are protected from this attack by default.

## Protecting your application
How do you protect your application against this?  The exact implementation details depend on the framework or codebase you're using, but you have a few options:

* Turn off mass assignment completely; in Mongoose this is accomplished by using strict mode.
* Whitelist the fields that are safe to be mass assigned, iterate over your body params, and only save the whitelisted fields.
* Blacklist the fields that are not safe to be mass assigned, iterate over your body params, and only save the fields that are not blacklisted.

There is also a plugin for Mongoose specifically, [Mongoose Mass Assign](https://www.npmjs.com/package/mongoose-mass-assign), that will assist with this.

Depending on your implementation, some of these may be used simultaneously.  A simple whitelist implementation looks like this:

# What is mass assignment?
Mass assignment is an incredibly useful tool. When used properly, it can speed up development time. But it can cause severe damage if used improperly. This functionality is usually included as part of an Object Relational Mapper (ORM) or Object Document Mapper (ODM). ORMs aren’t as popular in Node as they are in other languages, but they come up occasionally. ODMs are popular if you use MongoDB, CouchDB, or another schema-less document database.

In the examples below, we'll use [Mongoose](http://mongoosejs.com/). Mongoose is a MongoDB object modeling tool for Node.js..

Let's say you have a `User` model that needs to be updated with several changes. You could update each field individually, or you could pass all of the changes from a form and update it in one go.

Your form might look like this:
```
<form action="...">
    <input name="first_name" />
    <input name="last_name" />
    <input name="email" />
</form>
```

Then you have back end code to process and save the form submission. That might look like this:
```
var User = mongoose.model('User');

var liz = new User(req.body);
liz.save();
```

Quick and easy, right? But what if a malicious user modifies the form, giving themselves administrator permissions?

```
<form action="...">
    <input type="text" name="first_name" />
    <input type="text" name="last_name" />
    <input type="text" name="email" />
    <input type="hidden" name="permissions" value="{'admin':'true'}" />
</form>
```

That same code would now change this user's permissions erroneously.

Many developers and sites have fallen victim to this problem. A recent, well-known exploit of this vulnerability occured when a user exposed Ruby on Rails.
* Egor Homakov initially reported to the Rails team that new Rails installs were insecure. His bug report was rejected. 
* The core team thought it was a minor concern that would be easier for new developers to leave enabled by default.  
* Homakov hilariously "hacked" the Rails GitHub account (GitHub is built on Rails) to give himself administrative rights to their repositories.  

Needless to say, this proved his point, and now Rails, and GitHub, are protected from this attack by default.

# Protecting your application
How do you protect your application against this?  The exact implementation details depend on the framework or codebase you're using, but you have a few options:

* Turn off mass assignment completely; in Mongoose this is accomplished by using strict mode.
* Whitelist the fields that are safe to be mass assigned, iterate over your body params, and only save the whitelisted fields.
* Blacklist the fields that are not safe to be mass assigned, iterate over your body params, and only save the fields that are not blacklisted.

There is also a plugin for Mongoose specifically, [Mongoose Mass Assign](https://www.npmjs.com/package/mongoose-mass-assign), that will assist with this.

Depending on your implementation, some of these may be used simultaneously.  A simple whitelist implementation looks like this:

Learn about the pros and cons of mass assignment.

Introduction

Never Trust Your Users. Sanitize ALL Input!

HTTPS and Other Random Letters

Password Encryption and Storage for Everyone

Authentication, Access Control, and Safe File Handling

Safe Defaults, Cross Site Scripting, and Other Popular Hacks

Mass Assignment

What is mass assignment?