In a previous blog post I mentioned ways to secure your ExpressJS instance. This included both using third party modules and modifications to the default configuration of Express.

The blog post received great feedback, so we decided to create a skeleton that showed how to handle the security concerns addressed. The skeleton is a great starting point for a secure ExpressJS application and this post will cover the details getting started with it and what it covers for you out of the box.

The source code for the skeleton can be found here dead-simple-express.

Check out the secure branch for all the details.

Getting Started

The following instructions are done with an OSX machine in mind, so modify accordingly.

Make sure to have mongodb installed

brew install mongodb

To use:

git clone https://github.com/jeremybuis/dead-simple-express.git && cd dead-simple && rm -rf .git
npm install
bower install
npm start

Navigate to http://localhost:4000 to view the basic page, keeping in mind its a starting point project, so things are pretty bare.

What you get in the skeleton

  • A rock solid starting point for writing an ExpressJS server side webapp
  • Sane defaults which includes express configurations and security focused configuration
  • Logical app structure which has a nice separation of concerns between files
  • Proper error handling
  • Security minded modules to handle issues addressed in last blog post
  • Build script for super dev powers using Gulp

Security issues it covers

  • Cross-site Request Forgery (CSRF)
  • Security headers using helmet
  • HPP or HTTP Parameter Pollution
  • Content length validation
  • Downgraded user privileges
  • Secure cookies
  • Proper env variable loading
  • Removal of x-powered-by header
  • Generic cookie name
  • User accounts with bcrypt password handling

Recommended setup

My preference to set something like this up in production is to put your express server behind a nginx proxy.

The proxy handles ssl termination and routes traffic to your express server. It also handles serving static resources. This way your express app is only handling app specific routes that have business logic attached to them.

This setup allows you to not run the express instance as root as it doesnt need to be bound to a port lower than 1024.

Thats all for now folks

White Paper - Proving Adherence to Software Security Best Practices

White Paper - Proving Adherence to Software Security Best Practices

Industry standards and the best practices for developing secure software. Please provide your email and name to receive your copy.

Success! Your copy is on the way.

eight-myths

The 8 New Deadly Myths of Application Security

If you want to get clear on the best strategy for software security in your organization, you must first get clear on the problems. Many organizations identify the problems as cryptography, insecure SSL practices, or authentication issues.

This is why organizations get trapped within incorrect mindsets to find themselves struggling to prove proper adherence to software security best practicesor worse, in a middle of a data breach.

Enter your name and email below to understand the myths and start an application security program that works.

You have Successfully Subscribed!