← Course Index
Ref
Primary Source
OWASP Top 10 — 2021
The authoritative list of critical web application security risks. Every developer must know these. Read →
OWASP Top 10 (Node.js Relevant)
| Risk | Prevention |
|---|
| Broken Access Control | Verify authorization on every request; never trust client roles |
| Cryptographic Failures | bcrypt for passwords; encrypt PII at rest; TLS everywhere |
| Injection | Parameterized queries; never concatenate user input into SQL |
| Security Misconfiguration | Disable debug mode; remove default credentials; set security headers |
| Vulnerable Components | npm audit; Dependabot; update regularly |
| Auth Failures | Rate-limit login; strong passwords; MFA; short sessions |
Security Headers (helmet.js)
npm install helmet
import helmet from 'helmet';
app.use(helmet()); // Applies all defaults: CSP, HSTS, X-Frame-Options, etc.
// Or customize:
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://www.googletagmanager.com"],
styleSrc: ["'self'", "'unsafe-inline'"],
}
},
hsts: { maxAge: 31536000, includeSubDomains: true, preload: true }
}));
CORS Configuration
import cors from 'cors';
app.use(cors({
origin: (origin, callback) => {
const allowed = ['https://yourapp.com', 'https://www.yourapp.com'];
if (!origin || allowed.includes(origin)) callback(null, true);
else callback(new Error('CORS: not allowed'));
},
credentials: true,
methods: ['GET', 'POST', 'PUT', 'DELETE'],
}));
Dependency Scanning
npm audit # Check for vulnerabilities
npm audit fix # Auto-fix safe updates
# GitHub Dependabot (.github/dependabot.yml):
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule: { interval: "weekly" }
open-pull-requests-limit: 10
Secrets Hygiene Checklist
- ✅ All secrets in env vars, never in code
- ✅
.env in .gitignore
- ✅ Production secrets in AWS Secrets Manager
- ✅ CI/CD secrets in GitHub Secrets
- ✅ Docker images scanned for embedded secrets (Trivy)
- ✅ GitHub secret scanning enabled
- ✅ Rotate secrets quarterly
Check Your Understanding
1. Your API returns "user not found" vs "wrong password" as different error messages. Security issue?
2. Which correctly prevents SQL injection?
3. A developer commits an AWS access key to a public GitHub repo. First action?