Skip to content

Instantly share code, notes, and snippets.

Last active August 16, 2020 02:44
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
1. compromised database
- strongly encrypt passwords with salt and hash (bcrypt)
- strongly encrypt password reset tokens (sha256)
2. brute-force attacks
- use bcrypt (to make login request slow)
- implement rate limiting (express-rate-limit)
- implement maximum login attempts
3. cross-site scripting (xss) attacks
- store jwt in HttpOnly cookie
- sanitize user input data
- set special http headers (helmet package)
4. denial-of-service (DoS) attacks
- implement rate limiting (express-rate-limit)
- limit body payload (in body-parser)
- avoid expensive regular expressions
5. database injection
- use mongoose for mongodb access (because SchemaTypes)
- sanitize user input data
6. other best practices and suggestions
- always use https
- create random password reset tokens with limited expiry dates
- deny access to jwt after password change
- don't commit sensitive config files to git
- don't send error details to clients
- prevent cross-site request forgery (csrf) attacks (csrf package)
- require re-authenticate before a high-value actions
- implement a blacklist of untrusted/revoked jwt tokens
- confirm email address after first account creation (send confirmation link via email)
- keep user logged in using refresh tokens
- implement tw-factor authentication
- prevent parameter pollution causing unhandled exceptions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment