What are your ways of securing a Express.js REST API?

Question

I'm building an app with an Express.js REST API as the back-end and I'm trying to wrap my head around all the necessary security measures and which libraries and tools to use.
Could you guys and gals make a rundown of what your favorite and secure libraries you use for each part of the securing process are?
Maybe also write why you use the ones you use. It would really help me a lot.
Thank you in advance.

Answer 1

1. Avoid CORS if you can. CORS headers sent by webservers tell browsers: "Water down or turn off the built-in protection against cross-site/cross-domain attacks because I (the webserver that has sent you this or that CORS header) has been hardened so much that I'm not afraid of some third-party (e.g. not downloaded from me) scripts calling the APIs which I expose. Such scripts could be malicious but I don't care".

   You better leave it to webservers maintained by big companies like Google or Facebook to make bold statements like that because they have enough resources to harden their webservers.

2. Use rate limiting to protect against L7 DoS attacks.

3. Scrutinize input. Assume all the input is malicious unless the scrutiny you have applied shows it is not. More specifically, do not assume the input is a valid JSON, do not assume the pieces of data inside JSON have correct JS type e.g. do not assume an integer is an integer or date is indeed a date.

   Regex could be helpful to check the incoming requests provided either it is simple or you use a Regex library that mitigates the danger of a DoS attack mounted by crafting the input data to cause significant resource consumption.

4. Do not expose Express to Internet directly, even via a firewall. Use reverse proxy like Nginx that has been hardened to be connected directly to Internet, preferably via a firewall. Use such a proxy to clamp down on API request's size, allowed HTTP verbs, etc.

5. Security must be multi-layered with redundant/repetitive protective measures implemented in different layers. For example, implement rate-limiting not only in Express but also in Nginx.

6. Use CDN which comes with complimentary protection against L4 DDoS attacks and complimentary firewall.

7. For mutating (e.g. state-changing APIs) use CSRF. CSRF attack cannot steal any data so you don't need it for the specific API that lists some entities. But if the API is mutating e.g. changes the server's state or data held in a db then CSRF is needed.

8. Avoid blocking on CPU intensive or time-consuming tasks in API handlers. There will be only one thread ever that executes all the Express handlers so you cannot afford getting it blocked on processing of one request regardless of whether the thread is passively waiting for a db query to complete or is busy doing some lengthy calculation. This needs to be handled in a non-blocking way which will improve both scalability and security by making Express less prone to CPU exhaustion attacks.

9. Keep detailed logs (usable for forensics), storage is cheap nowadays. When run-time errors happen, do log all the gory details which will have wording you can neither fully predict nor control. On contrary to this approach exercise tight control over the wording/exact content of the error messages you send back to the API caller. Do not include the full details, especially the ones with wording not known in advance because the caller doesn't need to know and it could facilitate XSS reflection.

10. See this. TLS termination is CPU costly so it's better not to use Express to handle TLS. It could be done on Nginx or by a sufficiently advanced firewall or outsourced along with certificate procurement to the CDN.

11. On Linux do not run Express as root. On Windows do not start Express using administrative account. Use another account and ensure it has no permissions to write to any disk directory/file except for the logging directory.

Answer 2

You should use CORS to prevent access to your API from unwanted origins (domain, protocol, or port). To setup CORS in Express.js app use cors library

More about CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS