Carsten Ruhr

NodeJS Security Cheatsheet

I found this nice NodeJS security cheatsheet today. While I already follow a good cut of this guide there are three things I did not consider yet.

Limiting the request size

Makes sense. You don't want anybody to send gigabytes of data and flood the memory or disk. So I looked up how to do this in next.js and found out that it's directly possible to set up the sizeLimit in the route configuration:
https://nextjs.org/docs/api-routes/api-middlewares


Precautions against brute-force attacks

You might think you will never be targeted by brute-force attacks. But malicious actors might not even try to crack passwords or register thousands of accounts. They might try to abuse your credit card form just to validate stolen credit cards. I learned about this kind of abuse about a year ago at DeepL. Rate Limiting might be a good step to help against such "attacks".
This package looks like a good option: https://www.npmjs.com/package/rate-limiter-flexible


HTTP Parameter Pollution

I never heard about this before nor did I know about the express behaviour to pack multiple parameters with the same name together into an array. The HPP module will alter this behaviour and only take the last parameter into consideration.