Photo by Georg Bommeli on Unsplash

Prevent XSS?

XSS, or Cross-Site Scripting, is a technique that enables attackers to run externally injected JavaScript in the context of the attacked page. Once the attackers manage to do so, it can access the full range of web APIs.

  • The attacker starts inputting simple HTML and JavaScript to see if the page vulnerable, like <script>alert('ha ha ha!')</script>
  • Once the attacker finds such an input that is vulnerable, the attacker crafts a link that will inject a give snipper into the page, and sends it to the attacked person
  • After the link is opened, it is up to injected script and the attacker on what’s going to happen next
  • JavaScript escape before putting untrusted data into JavaScript data values
  • However, some JavaScript functions can never take untrusted input:
  • setInterval,
  • new Function,
  • setTimeout,

How should I store passwords?

Never ever in plain text. Also, never ever without salt. Without salt, your passwords can be reversed using Rainbow tables.

How can I protect against CSRF?

CSRF or Cross-Site Request Forgery is an attack vector which exploits the way HTTP requests are sent from the browser: if a user has cookies for the site foo.com, no matter who starts a given request, cookies set by foo.com will always be sent with the request.

  • The attacker crafts an URL which calls the action of the given form, to follow our example, to update the email address of the user.
  • The attacker requests a password reminder and takes over the account.
  • a large random value,
  • generated by a cryptographically secure random number generator.
const cookieParser = require("cookie-parser");const csrf = require("csurf");const bodyParser = require("body-parser");const express = require("express");// setup route middlewaresconst csrfProtection = csrf({ cookie: true });const parseForm = bodyParser.urlencoded({ extended: false });// create express appconst app = express();// parse cookies// we need this because "cookie" is true in csrfProtectionapp.use(cookieParser());app.get("/form", csrfProtection, function (req, res) {// pass the csrfToken to the viewres.render("send", { csrfToken: req.csrfToken() });});app.post("/process", parseForm, csrfProtection, function (req, res) {res.send("data is being processed");});
<form action="/process" method="POST"><input type="hidden" name="_csrf" value="{{csrfToken}}">Favorite color: <input type="text" name="favoriteColor"><button type="submit">Submit</button></form>

When should I use JWT-based authentication? When should I use session-based authentication?

JWTs or JSON Web Tokens are an open, industry-standard RFC 7519 method for representing claims securely between two parties. Usually, it includes some data on the user, like name and email, as well as two other values, called iat (issued at) and exp (expires at). JWTs are signed by a secret key, but the payloads are (in most cases) not encrypted, so you should not store any sensitive information in JWTs.

  • the second is the actual payload,
  • the third part is the signature.
  • cookies can be a lot smaller than JWTs, so you can save bandwidth using them.

What are the best practices for handling secrets, like database passwords?

You should never check your secrets into your version control system, in a plain text form. If you’d like to store secrets in version control, you have to encrypt it. A couple of tools you can use for it:

  • git-secret

Passionate Programmer. Independent Thinker. Caring Father. Graduate of Flatiron Bootcamp for Software Development. Currently seeking new opportunities.