Validating Data in ExpressJS
- Validating Data Overview
- What is Untrusted Data?
- Where to Validate Data
- Validating Data at the Request Layer
- Validating Data at the Model Layer
Handling Authentication in NodeJS Applications
- Protecting Passwords
- Protecting Against User Enumeration
- Locking User Accounts
Access Control in NodeJS
- Principle of Least Privilege and Roles
- Function-Level Access Controls
- Access Control Mistakes
Session Management in ExpressJS
- Session Hijacking
- Enabling HttpOnly Flag
- Enabling the Secure Flag
- Session Timeouts
- Session Fixation
- Forcing Re-authentication
NodeJS Transport Security
- TLS, SSL, and HTTPS
- Importance of TLS
- HTTP Strict Transport Security Header
- Content Security Policy
Pug Security Concern
- Cross-Site Scripting
- Common Used Templating Systems
- Server-Side Template Injection
Preventing MongoDB Query Selector Injection Attacks
- Injecting JavaScript
- Injecting Operators
Managing Third-Party Dependencies
- Unused Packages
- Package Popularity
- Check for Outdated Packages
- Check for Known Vulnerabilities
Run a Private Repository
The Need for OAuth 2.0
- An Example OAuth 2.0 Scenario
- The Valet Key Analogy
- Valet Keys in Our Application
Delegated Access with OAuth 2.0
- A Brief History of OAuth 2.0
- OAuth 2.0 Terminology
- Conceptual Overview of OAuth 2.0
- OAuth 2.0 Clients
Overview of OAuth 2.0 Grant Types
- Overview of Different Grant Types and Their Purposes
- Authorization Code Grant
- Device Authorization Grant
- Client Credentials Grant
- Implicit Grant
- Resource Owner Password Credentials Grant
Delegated Access from a Confidential Client
- A Confidential Client Scenario
- Delegated Access with the Authorization Code Flow
- Security Properties of the Authorization Code Flow
Delegated Access from a Public Client
- A Public Client Scenario
- Augmenting the Authorization Code Grant with PKCE
- Mobile and Native Clients
- Frontend Web Clients
- Security Properties of the Authorization Code Flow with PKCE
Long-Term Delegated Access
- The Purpose of Access Tokens
- Running a New Flow
- Using Refresh Tokens
- Securing Refresh Tokens
Common Pitfalls and Misconceptions
- Mistaking OAuth 2.0 for What It Is Not
- Abusing OAuth 2.0 for Authentication
- Modifying OAuth 2.0 Flows
Wrapping up OAuth 2.0
- The Core Concepts of OAuth 2.0
- High-Level Security Considerations