Protect the Client Application and Data

Secure Your Node.js Web Application — by Karl Düüna (65 / 78)

👈 Understand Your Application’s Data Flow | TOC | Securely Transfer Data in Your Application 👉

Let’s start with the client application. We’re going to skip how to educate and protect the user because that’s a whole different task and a topic for another book. We’ll start from the source of the data and work our way through to when it reaches the server.

XSS and caching attacks are among the most popular attacks at this point. We look at XSS in great detail in its own chapter Chapter 11, ​Fight Cross-Site Scripts​, so we won’t dig into this attack vector here. Since XSS is a popular attack method, you need to go through the XSS chapter to protect your users.

Browsers rely on caches and autocomplete tools to speed up web browsing and help users accomplish more things while doing less work. Although useful, they also create opportunities for attackers.

Autocomplete in browsers lets users quickly fill out different forms with the same pieces of information. Think about how saving the shipping address information from one form saves time and effort the next time you buy something. To be able to autocomplete forms, the browser first needs to store the data somewhere. The thing is, attackers can trick the browser into displaying that information at the wrong time.

Imagine a situation where the computer has multiple users. One user enters some sensitive information in a form and submits it. Another user comes along, opens the same page, and sees the sensitive information when autocomplete fills out the form. This is a simple example, but you can see why saving sensitive information this way would be bad.

When dealing with forms collecting sensitive information, you should either turn off autocomplete entirely, as shown in this example, or be more selective:

To be more selective you can turn off autocomplete only on fields that are sensitive in nature. Browsers have tools that let you differentiate form fields:

Related posts:

Software is full of surprises. No matter how careful or skilled you are, when you create software it can behave differently than you intended. Exploratory testing mitigates those risks. Part 1 introduces the core, essential skills of a master explorer. You’ll learn to craft charters to guide your exploration, to observe wh

The command-line interface is making a comeback. That's because developers know that all the best features of your operating system are hidden behind a user interface designed to help average people use the computer. But you're not the average user, and the CLI is the most efficient way to get work done fast. Turn tedious chores

When I deleted Facebook, I thought I was doing it for myself. Saving time, weaning myself off of my phone, protecting my privacy, etc. By scrolling through my newsfeed and “liking” posts and…