Ready to deploy express js application, what security issues should I be worried about?

I have never deployed an express application before and quite frankly, I am not familiar with some of the security precautions that a developer must take before deploying a web application.

1) My website is simple, it doesn't require users to log in
2) I only store user IP once they have submitted the form
3) I use mongolab

I don't think I have any security system implemented since I mostly followed the "basic" tutorial online. I'd really appreciate some tips and "MUST DO / MUST - NOT - DOs" from some of the experts out there.

Thank you

Just to get the ball rolling:

  • You need to perform input/form validation on the server-side to prevent sql injections (where malicious sql code executes on the data store). In your case you don't use a RDBMS, but still consider what you are assuming when passing user entered values into the mongolab world.
  • Additionally, perform output sanitization when outputting user-entered data back to html to prevent XSS (Cross Site Scripting - when someone successfully gets you to output valid JavaScript onto an html page which may or maybe not be viewed by him)

https://github.com/ctavan/express-validator seems to be a good middleware to help you with form validation on the server-side.

Other general security considerations:

  • If you are passing sensitive info over the the wire, consider doing it over https. Passwords being sent in plain-text over http are susceptible to man-in-the-middle attacks.
  • Only open ports that you need and if possible filter the source traffic for your servers.
  • DoS (Denial of Service) attacks are when too many simultaneous request overwhelm your server and often lead to server to crash or become unresponsive to valid request of other users. There is no clean cut solution for this problem. If the source of the attack from logs seem to be a handful of IPs you can block those IPs. Otherwise, if botnet orchestrated attack goes against you, you are talking about heuristic algorithms to potentially prevent such attack. However, this is really not of any concern unless you are a big target or ticked off the wrong person :).

There is much more to consider, but different considerations may depend on your particular architecture and needs. Don't want to overwhelm you, but start with server-side validation, especially in a weakly typed language like JavaScript. Also, stay away from eval().

Keep access + error logs and learn as you go and go as you learn.

If you want to further dive into the current in webapp security, start with the OWASP Top 10