THE BEST TWO WAYS TO SECURED YOUR WEB APP:
Validate User Inputs:
Accordingly, Injection-based attacks can come in so many ways; XSS, SQL injections, host header injection, and OS command injection are a few examples of these attacks.
Therefore, Injection-based attacks have over the years made their way into the OWASP (Open Web Application Security Project) and SANS Top 25 CWE (Common Weakness Enumeration) many times.
So, in the web development, we need to validate all inputs before the application processes the data to mitigate injection-based attacks.
E.g., the phone number field, Password field, Name field, they must only accept an acceptable format with specific numeric and special characters.
Managing Application Secrets:
This is another crucial way to securitized the web app secret credentials by managing sensitive secrets such as database connection strings, API keys, and credentials is mandatory in any application.
Therefore, we should stop keeping these secrets in the codebase at all costs and follow standard rules and methods to store them.
for example, You can use environment variables within the operating system to store this sensitive information, and we can use Node.js to call these environment variables.
However, there are instances where the application would require more than one variable instantiated. At this juncture, the only best way to manage secrets is to use the dotenv package.
so, you can easily install it using npm or Yarn as follows:
NPM
npm install dotenv
Yarn
yarn add dotenv
Then, create a .env file at the project root and define all the secrets in that file.
NODE_ENV= develpment,
MONGODB_URL = "mongodb_url:uerbsf@kgeyfdop_jhf"
PORT = 3000
USERNAME=secret123
PASSWORD=secret123@
Finally, you can require and use these secrets in the application like below:
require('dotenv').config();
mongoose.connect({
host: process.env.PORT,
username: process.env.MONGODB_URL,
password: process.env.PASSWORD
})
Most importantly, make sure to include .env files in the .gitignore file to prevent them from being pushed to the Git repository.
Top comments (2)
Thanks for noting these two useful security controls 🙏, The OWASP foundation also has a recommended set of mitigations for each of their popular Top 10 security risks.
Use of
.envfiles is a good start if deploying to your own infrastructure, although these should be managed in some way by your operations team (or just you of course!), preferably in a way that it is possible to redeploy easily - for example, I've used a local password manager application to hold credentials securely, and including the password database in my backups... When deploying to cloud infrastructure, always consider using their credential management services (eg: Azure Key Vault) before developing your own!Thanks you so much for this great contribution.
Well noted, sir.