
Node.js Express API development security checklist - wheresvic1
https://smalldata.tech/blog/2017/05/19/nodejs-express-api-development-security-checklist
======
simple10
This is a great list but does not include solutions for a lot of the problems.
Most web developers will already know basic solutions but it would be nice to
see a github repo with checklist + solutions. Anyone know of one?

------
msarchet
I find it interesting that they assume that you treat passwords as plaintext
in a security document :/

~~~
wheresvic1
That was just an example, you could just as well change it to an injection on
a different resource/field!

------
wolco
Never considered a regex attack blocking the event loop. Not something you
would consider with apache or nginx.

~~~
clintonb
The web server doesn't matter since it isn't processing the regex. It's the
application server that is being tied up. If you're using a multi-threaded
application server, it would eventually get bogged down. See
[https://www.owasp.org/index.php/Regular_expression_Denial_of...](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-
_ReDoS) linked from the original article.

------
retox
The Express site itself has a similar list of security considerations.
[https://expressjs.com/en/advanced/best-practice-
security.htm...](https://expressjs.com/en/advanced/best-practice-
security.html)

------
mirekrusin
Author is confusing prepared statements with parameterized queries/escaping in
one of the first points. Prepared statements are not related to sql
injections, ie. you can build them from interpolated strings as well.

~~~
wheresvic1
Yes you are correct there. In the context of Node.js and using the mysql
package, prepared statements do the job :)

