You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How to prevent these attacks from happening in your own project?
Preventing DOS Attacks
First thing to consider when dealing with DOS attacks prevention is to limit the actual payload that user can submit to your app / api / service. You can limit the body payload using body-parser. If you are using ExpressJS as your backend framework, then you are golden. ExpressJS comes with built-in body-parser that you can use.
constexpress=require('express');constapp=express();app.use(express.json({limit: '10kb'}));// Body limit is 10
Another useful express feature is express-rate-limit dependency. This dependency lets you set rate limit for users. So basically, you can set maximum amount of requests for each user, after user uses all of his requests, you can lock him out for certain amount of time.
Here is how you can configure express-rate-limit:
npminstallexpress-rate-limit-InstallingitusingNPM
constlimit=rateLimit({max: 100,// max requestswindowMs: 60*60*1000,// 1 Hourmessage: 'Too many requests'// message to send});app.use('/routeName',limit);// Setting limiter on specific route
Preventing XSS Attacks
First of all, you can sanitize user data, on input. This is very easy to implement, and we can use another useful dependency called xss-clean.
This dependency will prevent users from inserting HTML & Scripts on input.
npminstallxss-clean-InstallingitusingNPM
// Data Sanitization against XSSapp.use(xss());
Give your project special HTTP headers using helmet dependency. Helmet is a collection of middleware functions. By default, not all of the middleware functions are included, but you can enable rest of them manually. You can check this link to see other middleware functions.
Here is how you can configure helmet - It should be declared on the top of the code:
npminstallhelmet-InstallingitusingNPM
app.use(helmet());
If you are using JSON Web Tokens (JWT) instead of express-session for example, you should consider storing JWT’s into the cookies. As well, make sure these cookies for JWT storing are HTTP Only!
Preventing Brute Force Attacks
One of the most efficient way to help you to deal with brute force attacks, is to set limit to login attempts, or anything related to authentication that requires users to insert their passwords, special codes or PINs.
Next up, and again, if you are using ExpressJS, you could implement express-rate-limit dependency. Which we did indeed implemented in DOS attacks prevention. But this dependency works both for Brute Force attacks and DOS attacks.
To slower down and make life a little bit harder for attackers when guessing sensitive data (passwords, PINs), you could implement bcrypt dependency. Bcrypt will encrypt sensitive data such as passwords and it will make them harder to guess. Bcrypt is a little bit complex dependency, but if you want to learn more (and you should) checkout this link.
Another thing that will make brute force attacks less likely is implementing 2-Step verification process, or two-factor authentication. It does take couple of lines of codes to implement this, so here is the link that will help you out with it!
Preventing SQL/NoSQL Injection Attacks
Either if you are working with SQL or NoSQL database, you should sanitize your data.
If you are working with SQL database, you should consider using node-mysql dependency. Learn more about node-mysql here.
If you are working with NoSQL database (MongoDB) and ExpressJS, consider using express-mongo-sanitize dependency.
If working with MongoDB, use Object Data Modeling tool (ODM) Mongoose. Mongoose lets you define schemas and schema types for each one of your documents, making it secure from the beginning. Mongoose is pretty complex on it’s own, but if you want to dive deep into it, i’ll suggest you to check this link or get a crash course on it and learn it on the go!
Your main app file could look like this after you implemented these dependencies:
// Importing Dependenciesconstexpress=require('express');constrateLimit=require('express-rate-limit');consthelmet=require('helmet');constmongoSanitize=require('express-mongo-sanitize');constxss=require('xss-clean');constapp=express();// Helmetapp.use(helmet());// Rate Limitingconstlimit=rateLimit({max: 100,// max requestswindowMs: 60*60*1000,// 1 Hour of 'ban' / lockout message: 'Too many requests'// message to send});app.use('/routeName',limit);// Setting limiter on specific route// Body Parserapp.use(express.json({limit: '10kb'}));// Body limit is 10// Data Sanitization against NoSQL Injection Attacksapp.use(mongoSanitize());// Data Sanitization against XSS attacksapp.use(xss()