DEV Community

Bour Abdelhadi
Bour Abdelhadi

Posted on • Updated on

Javascript Security Checklist

Summary

Introduction

Javascript is everywhere, It runs inside your browser, astronaut spacesuit, and most developers use it as a client-side and server-side programming language to allow them to create interactive web pages.

Javascript is a lightweight, interpreted programming language with first-class functions.

In addition, the Javascript ecosystem relies heavily on third-party libraries;
Visualization of npm shows dependency graph of an npm package.
Therefore, ensuring the security of JavaScript requires following security best practices to reduce attack surfaces. But how do we keep JavaScript applications safe?

I will be sharing with you in this article some helpful tips I use every day as a security engineer so you can start thinking more about security before deploying your code to production.

1. Code Linting & SAST

Seeing real-time feedback through linting while you're coding inside your IDE can help you accelerate development and reduce costs by finding errors and security issues earlier.

You can use:

Most SAST tools like SonarQube provide more features to identify code smells and known security vulnerabilities.
SonarQube

2. Running a security audit with npm audit

Most of the developers are using NPM(node package manager), which is a tool that helps you to install other people's code packages into your Javascript project.

When it comes to security, the first thing we will consider is NPM audit tool. This tool will help you detect vulnerabilities in all your installed dependencies and help you fix them.

npm audit

Suppose you are using Github as a source control management system. In that case, they have a tool called Dependabot, which automatically scans the dependencies of NPM and informs you via email to clarify the risks.

Dependabot


If you're working on a big project, you should consider automating this job instead of doing it manually each time by yourself. Thus, we can create a Cron Jobs to set recurring tasks (Choose your preferable CI tool).
Alt Text


3. Integrity checking for JavaScript (SRI)

If you're a developer, I'm sure you used before the <script> tag to import third-party libraries inside your code, but did you ever think about the possibility of manipulating the source code of those imported scripts?

Yes, It can happen, especially when you render external resources on your website. Therefore, your website may face a security breach.

You can use the SRI feature to enable browsers to verify the resources they fetch as a security measure.

<script src="https://example.com/example-framework.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
        crossorigin="anonymous"></script>
Enter fullscreen mode Exit fullscreen mode

How does it work?

Let's say we'd like to add JQuery to our code.

  • Download the minimized version of JQuery.
  • Calculate the SHA256 hash of JQuery version 3.5.1 hosted by Cloudflare
  • Run it twice through OpenSSL to generate the checksum.
  • Encode the result in base64 format.
curl -s https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js | openssl dgst -sha256 -binary | openssl enc -base64 -A

9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=
Enter fullscreen mode Exit fullscreen mode

Now that we have the hash, we can add the integrity attribute to the script tag and the prefix sha256- to the hash to indicate the hashing algorithm used. Starting from now, any browser that supports SRI will require that the provided hash matches the calculated hash of the downloaded file.

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js"
        integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0="
        crossorigin="anonymous"></script>
Enter fullscreen mode Exit fullscreen mode

Browser compatibility (SRI)
Browser compatibility SRI

4. Validations, Validations, Validations!

Client-side validation is not enough, and you should never rely on it when you write your code.

  • Don't trust user inputs.
  • Use proper methodologies for encoding/escaping
  • Sanitize and clean your user inputs
  • Set secure cookies
  • Establish a secure content security policy
  • Encrypt data transmissions between client-side and server-side
  • Use updated libraries and frameworks
  • Perform regular scans on your underlying databases and codebases

Read:

5. Minify and obfuscate your Javascript

As an attacker, I will try my best to understand the business logic behind the application, and if I do so, I can find my way through.

It's crucial to minify & obfuscate your Javascript to make it more difficult for the attacker to understand your code and decrease the attack surface.


Conclusion

Great job if you followed this far!

Hopefully, you’re now more aware of the problems you may face while developing your javascript application. Keep in mind that this article covered only a few things you should check while securing your application.

You may also need to read about:

  • Configuration Management.
  • Authentication.
  • Session Management.
  • Secure Transmission.
  • Denial of Service.
  • Error Handling.

You can reach me out on LinkedIn if you have questions @Bour Abdelhadi

Do you want to support me? > 💲 Thanks :D

Discussion (9)

Collapse
phyberapex profile image
PhyberApex

Two things I really miss here are the point of robust code and safe defaults. Although they are not JavaScript specific. But only robust code can be secure and always default to the save route. So if you are eg checking access make sure the default is to not allow access.

~Cheers

Collapse
andrewpierno profile image
Andrew Pierno

Awesome work, Bour!
Would you be willing to write some tutorials for our us? Happy to pay.

You can either DM me on twitter at twitter.com/AndrewPierno or fill out this little airtable form airtable.com/shrN6S3NMZ7oxRXTt.

Collapse
djaidri_oussama profile image
DJAIDRI oussama

thanks for sharing Abdelhadi <3

Collapse
abderrahmenbmz profile image
Abderrahmen

Thanks Abdelhadi

Collapse
djameleddine21 profile image
Sebbagh Djamel Eddine

Thanks for sharing @bscript

Collapse
l4t3nc1 profile image
l4t3nc1

Awesome post, Thank you!

Collapse
amersikira profile image
Amer Sikira

Great article! 👍

Collapse
haddadzineddine profile image
Haddad Zineddine

clear and clean thanks

Collapse
aidamohamed profile image
AIDA Mohamed

Many Thanks Abdelhadi