Symbiosis.host
Get Started
Intermediate
35 mins

Security Best Practices

Learn how to implement comprehensive security measures to protect your applications from common vulnerabilities and threats.

Prerequisites

  • Understanding of web security concepts
  • Familiarity with authentication flows
  • Basic cryptography knowledge
  • Experience with Node.js security

Security Overview

Security Implementation Workflow

Visual representation of implementing security measures in a web application.

1

Authentication Implementation

Set up secure user authentication:

// Authentication configuration
const authConfig = {
  // Password hashing
  password: {
    saltRounds: 12,
    minLength: 12,
    requireUppercase: true,
    requireNumbers: true,
    requireSpecial: true
  },

  // Session configuration
  session: {
    secret: process.env.SESSION_SECRET,
    maxAge: 3600000, // 1 hour
    secure: true,
    httpOnly: true,
    sameSite: 'strict'
  },

  // Rate limiting
  rateLimit: {
    window: 15 * 60 * 1000, // 15 minutes
    max: 100, // max 100 requests per window
    message: 'Too many requests, please try again later'
  }
};

// Password validation
const validatePassword = (password) => {
  const requirements = {
    length: password.length >= authConfig.password.minLength,
    uppercase: /[A-Z]/.test(password),
    numbers: /[0-9]/.test(password),
    special: /[!@#$%^&*]/.test(password)
  };

  return Object.values(requirements).every(Boolean);
};

// User authentication
const authenticateUser = async (email, password) => {
  const user = await db.users.findOne({ email });
  
  if (!user) {
    throw new Error('Invalid credentials');
  }
  
  const valid = await bcrypt.compare(password, user.passwordHash);
  
  if (!valid) {
    throw new Error('Invalid credentials');
  }
  
  return user;
};
2

Authorization & Access Control

Implement role-based access control (RBAC):

// RBAC configuration
const rbacConfig = {
  roles: {
    admin: {
      permissions: ['read', 'write', 'delete', 'manage_users']
    },
    editor: {
      permissions: ['read', 'write']
    },
    viewer: {
      permissions: ['read']
    }
  }
};

// Permission middleware
const checkPermission = (permission) => {
  return async (req, res, next) => {
    const user = req.user;
    
    if (!user) {
      return res.status(401).json({ error: 'Unauthorized' });
    }
    
    const role = rbacConfig.roles[user.role];
    
    if (!role || !role.permissions.includes(permission)) {
      return res.status(403).json({ error: 'Forbidden' });
    }
    
    next();
  };
};

// Apply to routes
app.get('/admin', checkPermission('manage_users'), (req, res) => {
  // Admin route handler
});

app.post('/content', checkPermission('write'), (req, res) => {
  // Content creation handler
});
3

Data Protection

Implement data encryption and protection:

// Encryption configuration
const encryptionConfig = {
  algorithm: 'aes-256-gcm',
  keyLength: 32, // 256 bits
  ivLength: 16, // 128 bits
  tagLength: 16 // 128 bits
};

// Encryption service
const encryption = {
  async encrypt(data) {
    const iv = crypto.randomBytes(encryptionConfig.ivLength);
    const key = Buffer.from(process.env.ENCRYPTION_KEY, 'hex');
    
    const cipher = crypto.createCipheriv(
      encryptionConfig.algorithm,
      key,
      iv
    );
    
    let encrypted = cipher.update(data, 'utf8', 'hex');
    encrypted += cipher.final('hex');
    
    const tag = cipher.getAuthTag();
    
    return {
      encrypted,
      iv: iv.toString('hex'),
      tag: tag.toString('hex')
    };
  },
  
  async decrypt(data) {
    const key = Buffer.from(process.env.ENCRYPTION_KEY, 'hex');
    const iv = Buffer.from(data.iv, 'hex');
    const tag = Buffer.from(data.tag, 'hex');
    
    const decipher = crypto.createDecipheriv(
      encryptionConfig.algorithm,
      key,
      iv
    );
    
    decipher.setAuthTag(tag);
    
    let decrypted = decipher.update(data.encrypted, 'hex', 'utf8');
    decrypted += decipher.final('utf8');
    
    return decrypted;
  }
};

// Data sanitization
const sanitizeInput = (input) => {
  return DOMPurify.sanitize(input, {
    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a'],
    ALLOWED_ATTR: ['href']
  });
};
4

Security Headers & Protection

Configure security headers and protection mechanisms:

// Security headers middleware
app.use((req, res, next) => {
  // Content Security Policy
  res.setHeader(
    'Content-Security-Policy',
    "default-src 'self'; " +
    "script-src 'self' 'unsafe-inline' 'unsafe-eval'; " +
    "style-src 'self' 'unsafe-inline'; " +
    "img-src 'self' data: https:; " +
    "font-src 'self'; " +
    "connect-src 'self' https://api.example.com;"
  );
  
  // HSTS
  res.setHeader(
    'Strict-Transport-Security',
    'max-age=31536000; includeSubDomains; preload'
  );
  
  // Prevent clickjacking
  res.setHeader('X-Frame-Options', 'DENY');
  
  // XSS protection
  res.setHeader('X-XSS-Protection', '1; mode=block');
  
  // Prevent MIME type sniffing
  res.setHeader('X-Content-Type-Options', 'nosniff');
  
  // Referrer policy
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
  
  // Feature policy
  res.setHeader(
    'Permissions-Policy',
    'camera=(), microphone=(), geolocation=()'
  );
  
  next();
});

// CORS configuration
const corsOptions = {
  origin: process.env.ALLOWED_ORIGINS.split(','),
  methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  credentials: true,
  maxAge: 86400 // 24 hours
};

app.use(cors(corsOptions));

Best Practices

Authentication

Best practices for secure authentication:

  • Use strong password policies
  • Implement MFA
  • Secure session management
  • Rate limiting

Authorization

Access control best practices:

  • Role-based access control
  • Principle of least privilege
  • Regular permission audits
  • Access logging

Data Protection

Protect sensitive data:

  • Encryption at rest
  • Secure transmission
  • Input validation
  • Output encoding

Security Checklist

Authentication

  • Implement strong password requirements
  • Enable multi-factor authentication
  • Use secure session management
  • Implement account lockout policies
  • Regular security audits

Data Protection

  • Encrypt sensitive data
  • Implement secure backup procedures
  • Use secure communication protocols
  • Regular security assessments
  • Data access logging

Application Security

  • Input validation and sanitization
  • Protection against XSS attacks
  • CSRF prevention
  • Secure file uploads
  • API security measures

Common Security Issues

Authentication Issues

Common authentication problems:

  • Weak password policies
  • Insecure session management
  • Missing MFA implementation
  • Token exposure

Data Security Issues

Data protection challenges:

  • Unencrypted sensitive data
  • Insecure data transmission
  • Insufficient access controls
  • Data leakage

Next Steps

Now that you understand security best practices, explore these related topics:

← Access Control Next: Monitoring →