Thursday, September 17, 2015

Improving Security in Node.js

A collection of tips and ideas to improve the security of a Node.js application.

Don't let your app identify itself as a Node.js application

In the response header you might have:
X-Powered-By: Express
Set-Cookie: connect.sid: sJbhAJcKt1JVuCRZ5HwpYMhFBAKaXm0

The first item identifies that your application is using Express.js which identifies Node. The second in a similar manner identifies the Connect middleware for session management, again a Node module.

The fixes for these are very simple. To suppress the X-Powered-By header key/value you should do this:

app = express();

For the connect.sid identifier you can change the default name by using the "key" key in the initialization object:

  key: '<customize me>',

No comments:

Post a Comment