Skip to content

doc: add Node.js Security Best Practices #4896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RafaelGSS merged 7 commits into from
Nov 10, 2022
Merged

doc: add Node.js Security Best Practices #4896

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
5c4e35b
doc: add Node.js Security Best Practices
RafaelGSS Oct 27, 2022
1f283bd
doc: apply cr suggestions
RafaelGSS Nov 1, 2022
0a3b883
fix the lint error
Nov 4, 2022
e4ae565
drop \p= mention
RafaelGSS Nov 4, 2022
0fcdd5f
drop paragraph dns rebinding
RafaelGSS Nov 4, 2022
7a76b2d
apply cr suggestions
RafaelGSS Nov 4, 2022
0c9bd60
doc: apply suggestions from code review
RafaelGSS Nov 9, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
doc: apply suggestions from code review 
Co-authored-by: Deian Stefan <github@deian.org>
  • Loading branch information
@RafaelGSS @deian
RafaelGSS and deian authored Nov 9, 2022
commit 0c9bd600311c61b06e6fb57930e4f1e6cec2fc35
9 changes: 5 additions & 4 deletions locale/en/docs/guides/security/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,14 +149,14 @@ Node.js and the front-end server of choice.

### Information Exposure through Timing Attacks (CWE-208)

This is an attack type applicable to not Node.js but to all runtimes, and might
lead to information disclosure vulnerabilities.
This is an attack that allows the attacker to learn potentially sensitive information by, for example, measuring how long
it takes for the application to respond to a request. This attack is not specific to Node.js and can target almost all runtimes.

A basic authentication method includes email and password as credentials.
The attack is possible whenever the application uses a secret in a timing-sensitive operation (e.g., branch). Consider handling authentication in typical application. Here, a basic authentication method includes email and password as credentials.
User information is retrieved from the input user has supplied from ideally a
DBMS.
Upon retrieving user information, the password is compared within the user
information retrieved from the database. This string comparison takes a longer
information retrieved from the database. Using the built-in string comparison takes a longer
time for the same length values.
This comparison, when run for an acceptable amount unwillingly increases the
response time of the request. By comparing the request response times, an
Expand All @@ -170,6 +170,7 @@ expected sensitive values using a constant-time algorithm.
* For password comparison, you can use the [scrypt][] available also on the
native crypto module.

* More generally, avoid using secrets in variable-time operations. This includes branching on secrets and, when the attacker could be co-located on the same infrastructure (e.g., same cloud machine), using a secret as an index into memory. Writing constant-time code in JavaScript is hard (partly because of the JIT). For crypto applications, use the built-in crypto APIs or WebAssembly (for algorithms not implemented in natively).
### Malicious Third-Party Modules (CWE-1357)

Currently, in Node.js, any package can access powerful resources such as
Expand Down