Last active
August 16, 2020 02:44
-
-
Save khattab88/adac8766dc6aab24fdc0ee89836f3872 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. compromised database | |
- strongly encrypt passwords with salt and hash (bcrypt) | |
- strongly encrypt password reset tokens (sha256) | |
2. brute-force attacks | |
- use bcrypt (to make login request slow) | |
- implement rate limiting (express-rate-limit) | |
- implement maximum login attempts | |
3. cross-site scripting (xss) attacks | |
- store jwt in HttpOnly cookie | |
- sanitize user input data | |
- set special http headers (helmet package) | |
4. denial-of-service (DoS) attacks | |
- implement rate limiting (express-rate-limit) | |
- limit body payload (in body-parser) | |
- avoid expensive regular expressions | |
5. database injection | |
- use mongoose for mongodb access (because SchemaTypes) | |
- sanitize user input data | |
6. other best practices and suggestions | |
- always use https | |
- create random password reset tokens with limited expiry dates | |
- deny access to jwt after password change | |
- don't commit sensitive config files to git | |
- don't send error details to clients | |
- prevent cross-site request forgery (csrf) attacks (csrf package) | |
- require re-authenticate before a high-value actions | |
- implement a blacklist of untrusted/revoked jwt tokens | |
- confirm email address after first account creation (send confirmation link via email) | |
- keep user logged in using refresh tokens | |
- implement tw-factor authentication | |
- prevent parameter pollution causing unhandled exceptions |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment