A collection of tips and ideas to improve the security of a Node.js application.
Don't let your app identify itself as a Node.js application
In the response header you might have:
X-Powered-By: Express
Set-Cookie: connect.sid: sJbhAJcKt1JVuCRZ5HwpYMhFBAKaXm0
The first item identifies that your application is using Express.js which identifies Node. The second in a similar manner identifies the Connect middleware for session management, again a Node module.
The fixes for these are very simple. To suppress the X-Powered-By header key/value you should do this:
app = express();
app.disable('x-powered-by');
For the connect.sid identifier you can change the default name by using the "key" key in the initialization object:
app.use(session({
key: '<customize me>',
...
No comments:
Post a Comment