The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Securing Express.js

Course Description

In this course, you’ll learn how to write secure Express applications. This course will give you the tools, perspectives, and patterns you need to security harden all aspects of your Express applications. We’ll cover defensive coding techniques and show you how to prevent common vulnerabilities like cross-site scripting and SQL injection.

Learning Objectives

  • Manage vulnerabilities in third-party library dependencies.
  • Securely handle application secrets.
  • Enable Transport Layer Security (TLS).
  • Leverage security-related HTTP headers.
  • Securely implement server-side templating.
  • Avoid common vulnerabilities like cross-site scripting and SQL injection.
     

Details

Delivery Format: eLearning

Duration: 1 Hour

Level: Intermediate

Intended Audience:

  • Back-End Developers
  • Architects

Prerequisites:

Course Outline

Introduction to Securing Express

  • Securing Express.JS
  • Express and Node.js
  • Defense in Depth
  • Running Express Applications
  • Secure Coding
  • Security Features

Execution Environment

  • Package-Level Controls
  • Managing Dependency
  • Dependency Vulnerability Checking
  • Dropping Privileges
  • Process Continuity
  • Avoiding Information Leaks

Secure Coding Patterns

  • Error Handling
  • Prototype Pollution
  • Handling Regex
  • Single Thread Concerns
  • Zeroing Buffers
  • Eval

Handling Secrets

  • Setting Secrets
  • Accessing Secrets
  • Secrets in Development
  • Secrets Manager

HTTP Transport Security

  • Port Selection
  • Certificates
  • Server Identity
  • Cipher Selection
  • Mixed Content

HTTP Security Headers

  • Helmet.js
  • X-DNS-Prefetch-Control
  • X-Frame-Options
  • X-Powered-By
  • Strict-Transport-Security
  • X-Download-Options
  • X-Content-Type-Options
  • X-XSS-Protection
  • Content-Security-Policy

Secure Request Handling

  • Handling Request for Static Files
  • Limiting Access to Static Files
  • Limiting Access to Secret Files
  • Avoiding Directory Indexing
  • Validating Request Data
  • Validation with Joi
  • Schema Hardening
  • Validation Middleware

Server-Side Templates

  • Templates in Express
  • The Attack Surface
  • Template Engine Plugins

Database Communication

  • Secure Connection
  • Hardening Configuration
  • Parameterized Queries

Logging

  • Logging Requests and Responses
  • Security Logging
  • Sensitive Data
  • Displaying Logs

Identity and Access Management

  • Authenticated Sessions
  • Access Management

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster