⭐ Security
Web Security Fundamentals
Last updated: 2025-09-25 12:47:03
Web Application Security
Security is crucial for web applications. Learn about common vulnerabilities and how to protect against them.
OWASP Top 10 Vulnerabilities
1. SQL Injection Prevention
// Vulnerable code (DON'T DO THIS)
const query = `SELECT * FROM users WHERE email = '${email}'`;
// Secure code with prepared statements
const query = 'SELECT * FROM users WHERE email = ?';
db.execute(query, [email]);
// Using ORM (Sequelize example)
const user = await User.findOne({ where: { email: email } });2. Cross-Site Scripting (XSS) Prevention
// Server-side output encoding
const escapeHtml = (text) => {
const map = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": '''
};
return text.replace(/[&<>"']/g, (m) => map[m]);
};
// Content Security Policy header
app.use((req, res, next) => {
res.setHeader(
'Content-Security-Policy',
"default-src 'self'; script-src 'self' 'unsafe-inline'"
);
next();
});3. Authentication & Session Management
// Secure password hashing
const bcrypt = require('bcrypt');
const saltRounds = 12;
// Hash password
const hashPassword = async (password) => {
return await bcrypt.hash(password, saltRounds);
};
// Verify password
const verifyPassword = async (password, hash) => {
return await bcrypt.compare(password, hash);
};
// Secure session configuration
app.use(session({
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
cookie: {
secure: true, // HTTPS only
httpOnly: true, // Prevent XSS
maxAge: 1800000, // 30 minutes
sameSite: 'strict' // CSRF protection
}
}));Security Headers
// Essential security headers
app.use((req, res, next) => {
// Prevent clickjacking
res.setHeader('X-Frame-Options', 'DENY');
// XSS protection
res.setHeader('X-XSS-Protection', '1; mode=block');
// Prevent MIME sniffing
res.setHeader('X-Content-Type-Options', 'nosniff');
// HTTPS enforcement
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
// Referrer policy
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
next();
});Input Validation
// Using Joi for validation
const Joi = require('joi');
const userSchema = Joi.object({
email: Joi.string().email().required(),
password: Joi.string().min(8).pattern(new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#\$%\^&\*])')).required(),
age: Joi.number().integer().min(13).max(120)
});
// Validate input
const { error, value } = userSchema.validate(req.body);
if (error) {
return res.status(400).json({ error: error.details[0].message });
}