Web Application Security Practices
Achieving application security has become a major challenge for software engineers nowadays because the system is very complex and we need to make sure our application is secure or not. So I have written the following points according to my Angular and NodeJS experience:
Session Validation
Session time should be a maximum of 30 minutes. The token should be renewed after 30 minutes. Use the refresh token concept to implement this.
Avoid Privacy Violation
Don’t add logs which are showing sensitive data. Like, don’t add a log to show user-related data, server data, etc.
In the following example, the developer has added a log to show a mongo connection string, which will show the MongoDB server detail and will breach the security.
Remove the hardcoded password and token from the code.
Remove all hardcoded passwords, authentication tokens, and sensitive key pair values from the code.
Dockerfile Misconfiguration (Default User Privilege)
Running Docker as a root user brings a lot of risks. Usually, it’s a good idea to run Docker as a non-root user. In the following example, we have created a node user (a non-root user) and given the required permissions to run the docker.
FROM alpine:3.16.4
RUN addgroup node && adduser -S -G node node
RUN mkdir -p /usr/src/my-dir && chown -R node:node /usr/src/my-dir
# Create app directory
WORKDIR /usr/src/my-dir
USER node
COPY --chown=node:node . /usr/src/my-dir/
# Install app dependencies
COPY package.json .
RUN npm install --save-exact
# Bundle app source
CMD ["node", "index.js"]Docker Dependency Confusion
Retrieving build dependencies using a non-specific version can leave the build system vulnerable to malicious binaries or cause the system to experience unexpected behavior.
Don’t install any package using Docker without specifying the version. Mention the version for the package.
npm install pm2 (wrong)
npm install pm2@.14.0 (correct)Check the Docker Image Version vulnerability
Check whether the Docker image version is not outdated and vulnerability-free.
You can check the vulnerability report on the official docker site (https://hub.docker.com/)
For example, the alpine:3.16.3 version has a vulnerability issue. Check the below URL.
Insecure Randomness
Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in a security-sensitive context.
In Javascript, don’t use math.random() function; the math.random() function is not a cryptographically secure random number generator.
Instead of Math.random() Use crypto[‘randomUUID’]()
Add Proper Security Headers in the UI
add_header Strict-Transport-Security "max-age=31449600; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin" always;
add_header 'X-XSS-Protection: 1; mode=block' always;
add_header ‘X-Content-Type-Options : nosniff' always;
add_header Set-Cookie "Path=/; HttpOnly; Secure; SameSite=strict";
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;Add X-XSS-Protection(To avoid cross-site scripting attack) and X-Content-Type-Options (To avoid sniffing attack).
Secure cookie with secure flag, Also, check whether only the backend service allowed origin is in the API request header or not.
Application Login should be more secure
Application login is the main door to our application, so we need to secure that first.
To make the application login more secure, configure single sign-on authentication, recaptcha, or OTP validation techniques.
Avoid SQL Injection
The best way to avoid SQL injection is with the ORM (Object Relational Mapping) technique. Use Mongoose, sequelize, etc. ORM techniques for database operations. Avoid writing raw SQL queries in code.
