Chapter 9. Authentication and security
This chapter covers
- Authentication in depth
- Third-party authentication with Bell
- Cross-Site Request Forgery (CSRF)
- Cross-Origin Resource Sharing (CORS)
- Security headers
Web application security can be a daunting topic. Most literature on it is drowning in acronyms like XSS, CSRF, and TLS. It seems like every few months a new game-changing security exploit appears too, with names intended to scare the bejeebies out of you: Heartbleed, BEAST, CRIME, POODLE, and FREAK. Okay, so maybe not POODLE.
Where do we even begin to deal with all this? Well, first breathe . . . and relax. A lot of security starts with plain common sense. You should use strong random passwords/encryption keys. You shouldn’t check secrets like security credentials into your source control system. You should run your app with the fewest privileges it needs. If you know this stuff, you’re already a long way there.
A big chunk of the security iceberg is out of your hands as an application developer. When you decide to use Node.js, you’re inheriting a lot of work already done for you by the Node core developers. You don’t need to worry about patching OpenSSL or checking for buffer overruns. You need to make sure you update Node when security patches come out.