Secure Scalable Node.js
for Enterprise
About Me
Consultant by profession
Open source contributor by passion
Traveller & Trekker by heart
@ niranjan_jan007
Niranjan-J007
Audience Poll
Profession
Security
1. Injection
Tricking an application into including unintended commands in the data sent to an interpreter
1. Injection
1. Injection
Encode all user input before passing it to the interpreter
Always perform ‘white list’ input validation on all user supplied input
2. Authentication
SESSION ID used to track state since HTTP doesn’t and it is just as good as credentials to an attacker
SESSION ID is typically exposed on the network, in browser, in log
2. Authentication
2. Authentication
Be sure SSL protects both credentials and session id at all times
Verify that logoff actually destroys the sessio
3. Cross Site Scripting
Loading the attacked, third-party web application from an unrelated attack site
3. Cross Site Scripting
3. Cross Site Scripting
Don’t include user supplied input in the output page
Use Content Security Policy (CSP)
Poll
Do you use standard NPM?
NodeJS for Enterprise
| # | Parameter | Description |
|---|---|---|
| 1 | Scaling | How easy it is to scale apps built with this framework? |
| 2 | Testing | How to test the application |
| 3 | Configuration | How easy it is to configure the framework |
| 4 | Best practices and patterns | Whether the framework provides clear patterns to use |
| 5 | Scaffolding | using built-in code generators |
| 6 | Integration | ecosystem of plugins/connectors |
| 7 | Monitoring | How to monitor the application |
| 8 | Convention | Is there a convention to follow |
| 9 | Track record | who supports it and how well it is maintained |
ExpressJS for Enterprise
KrakenJS for Enterprise
Hello World!
ExpressJS
Hello World!
KrakenJS
| # | Parameter | Description |
|---|---|---|
| 1 | Security | Pre-configured module Lusca provides simple-yet-critical best application security practices |
| 2 | Code generators | Automatic code creation with generators that save development time and reduce human error |
| 3 | Internalization | Makes your application support many languages from the ground up |
| 4 | Learning curve | Easy learning curve for developers familiar with Express.js |
| 5 | Integration | Possible to leverage a rich ecosystem of Express.js/Connect middleware modules with Kraken |
Benefits
Benefits
Security is provided out-of-the-box by the Lusca module.
Lusca is middleware for express, and it follows OWASP best practices
Security
Benefits
The generator will create a new directory for application, set up an empty project and download all the necessary dependencies.
Code generator
Benefits
bundalo for loading localized strings for use by application logic,
engine-munger for controlling the lookup of templates and associated localized strings, and
adaro as the template engine
Internationalization
Benefits
Local NPM
