Top JavaScript security threats
Key resource: https://owasp.org/www-project-top-ten/
- Injection (XSS)
- Broken authentication:
- Use proper Session library, no session Id in browser
- HTTPS
- crypto/bcrypt the credential data
- Sensitive data
- crypto/bcrypt the sensitive data
- tools like Jscrambler - scramble your code and data to make it hard to understand
- HTTPS
- XML external entities
- when XML is malformed -> takes longer to process due to its structure -> taken advantage by hackers to make the processing unit useless -> DoS attach
- Security misconfiguration
- Debugging left on or console.log in the client
- Development version in production
- Default credentials
- Improper access control - roles with minimum privilege for each part of the system; server variables never in repo
- Insecure de-serialization
- Key: Ensure your de-serialization library does not use the JS’s
eval()method. Choose the most active de/serialization package in npm
- Key: Ensure your de-serialization library does not use the JS’s
- Component/dependency that is insecure
- github dependabot, snyk, npm audit
- Insufficient logging and monitoring, e.g. not knowing it when you have a spike of request (DoS)
- Performance of server
- Server activity logs
- Network logs
- User logs
- Google analytics
- Application analytics