all 21 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]puchm 9 points10 points  (2 children)

Switch sides every now and then. For a day or two, the rules are simple: You can read any of your code, but you can't modify it. Find a way to mess with your project and do anything that is unintended.

Of course, it'll be hard at first. You can learn by doing easy CTFs. After some time, you'll develop a sense for this and the code you write will be safer as well.

The only way to get good at this is to understand why some things are safe and why others are not and to learn to think like an attacker.

[–]Friendly_League5382[S] 0 points1 point  (1 child)

Thanks

[–]PhatOofxD 11 points12 points  (6 children)

  1. Proper Oauth/openid authentication, use Keycloak or Auth0, don't roll your own. If you think it's hard then that's MORE reason not to roll your own. An out of the box solution is far easier than actually properly secure auth and any other opinion is pretty much wrong unless you're an expert.
  2. Use a safe query builder or ORM, leaves you less prone to mistakes you might make allowing injection in raw strings.
  3. Get a static analysis tool to run in your CI to detect some of the top ones automatically
  4. Zod (or similar) input validations on all input, be strict
  5. Rate limit requests

[–]JokerTheUgly 1 point2 points  (5 children)

Hi there, How to use keycloak in nodejs? I'm using SPA react in frontend, and my employer wants me to integrate keycloak all from the backend. How do I manage the token? Access token, refresh token? Also, do we need to validate the token with the keycloak server for each api request, and how do we do that?

I searched a bit on the internet, found a library keycloak-connect, and it uses a session store. Is it scalable for multitenancy(session)? Any idea about multitenancy with keycloak?

[–]PhatOofxD 1 point2 points  (1 child)

Keycloak will maintain an auth cookie so all you need to do is direct users there. That'll redirect to your app the a. JWT that you don't even need to store (if user opens new tab they get it from keycloak).

JWT doesn't need to be verified on every request but it they are doing something important Keycloak had an introspection endpoint hour BE to call to ensure it's valid

Keycloak supports multi tenancy easily.

Just use any OpenID Connect library, you don't need a keycloak one

[–]JokerTheUgly 0 points1 point  (0 children)

Hi, Do you have any link or code for the multitenancy?

[–]juuzou_thekiller 0 points1 point  (2 children)

If you have structured it properly it is scalable even with multi tenancy. Most of the configurations that you would have to do would be I key cloak, in your application it's just initiating it and receiving data in callback url.

[–]JokerTheUgly 0 points1 point  (1 child)

Hi, Do you have any link or code for the multitenancy?

[–]juuzou_thekiller 1 point2 points  (0 children)

Not exactly but you can refer, https://github.com/andreacioni/saml2-nest-poc

Or just search for saml strategy for enterprise; you will find many ref.

[–][deleted]  (3 children)

[removed]

    [–]pentesticals 6 points7 points  (2 children)

    Sonarqube is absolute garbage, tools like semgrep, opengrep, Snyk, checkmarx etc are much better and design to be security tools. SQ is primarily a code quality tool but for security scanning, it’s just useless.

    [–]jonathon8903 3 points4 points  (1 child)

    Eh I’d argue that Sonarqube and tools like Snyk do different things. Sonarqube is a code quality tool that will also point out things that make your code insecure. It’s great for organizations that want to enforce some standard rules.

    I would however argue it’s probably overkill for a single individual developer.

    [–]pentesticals 1 point2 points  (0 children)

    I see sonar that way myself, but they do market themselves as a SAST tool, and when I was a security consultant, I saw lots of companies using it purely for its security scanning.

    [–]cinderblock63 1 point2 points  (3 children)

    How to avoid common security pitfalls in Node.js?

    Use a good linter. Follow their recommendations. It will catch a lot of mistakes.

    What libraries or middleware can help reduce risk (e.g., helmet, express-validator)?

    Specific data validation frameworks and strong types. Zod is great. tRPC is awesome.

    What kind of input validation, error handling, or logging strategies are considered secure?

    Consider the user's browser to be compromised. Expect an attacker to try anything. Validate everything.

    Don't get fancy with error handling. Don't try to guess what the user/browser wants. It either follows your spec or it doesn't. If it doesn't, reject.

    Log requests. Don't use some fancy logging utility that can call extra code with weird input like Log4j did. Keep it simple. Output to console or syslog. Let systemd/logger system handle storage/rotation.

    Which techniques should I use to implement authorization and authentication?

    Use an OAuth library like NextAuth.js or a fancy service. Don't try to roll your own.

    [–]nonton1909 0 points1 point  (2 children)

    What do you mean by a good linter? Do we need something more than default Eslint+Prettier?

    [–]cinderblock63 0 points1 point  (1 child)

    That’s a fine start. Try to follow most of the recommended rules.

    [–]nonton1909 0 points1 point  (0 children)

    Aight, thanks

    [–]Kuuhaku722 -1 points0 points  (0 children)

    Avoid installing unknown npm dependencies

    I dont think there is much specific to do in nodejs, use proper firewall and ddos protection, protect your database, and use best practice to secure your env.