Hacker News new | comments | show | ask | jobs | submit login
Node.js Express API development security checklist (smalldata.tech)
50 points by wheresvic1 on Aug 31, 2017 | hide | past | web | favorite | 8 comments

This is a great list but does not include solutions for a lot of the problems. Most web developers will already know basic solutions but it would be nice to see a github repo with checklist + solutions. Anyone know of one?

I find it interesting that they assume that you treat passwords as plaintext in a security document :/

That was just an example, you could just as well change it to an injection on a different resource/field!

Never considered a regex attack blocking the event loop. Not something you would consider with apache or nginx.

The web server doesn't matter since it isn't processing the regex. It's the application server that is being tied up. If you're using a multi-threaded application server, it would eventually get bogged down. See https://www.owasp.org/index.php/Regular_expression_Denial_of... linked from the original article.

The Express site itself has a similar list of security considerations. https://expressjs.com/en/advanced/best-practice-security.htm...

Author is confusing prepared statements with parameterized queries/escaping in one of the first points. Prepared statements are not related to sql injections, ie. you can build them from interpolated strings as well.

Yes you are correct there. In the context of Node.js and using the mysql package, prepared statements do the job :)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact