What are common Node.js security vulnerabilities and how do you prevent them?

Answer

Common Node.js security vulnerabilities and mitigations: (1) Injection attacks: SQL injection — always use parameterized queries or ORMs, never concatenate user input into SQL; NoSQL injection — validate input types before MongoDB queries; Command injection — never pass user input to exec(); (2) XSS (Cross-Site Scripting): escape/sanitize output, use CSP headers (helmet), avoid res.send(userInput); (3) CSRF: use CSRF tokens or SameSite cookie attribute; (4) Insecure dependencies: run npm audit regularly, use Snyk or Dependabot to detect vulnerabilities; (5) Prototype pollution: validate object shapes, use Object.create(null) for dictionaries, avoid merge with untrusted input; (6) ReDoS (Regex DoS): avoid catastrophic backtracking regexes — use safe-regex to detect; (7) Timing attacks: use crypto.timingSafeEqual() for sensitive comparisons; (8) Directory traversal: validate file paths, use path.resolve() and check the result starts within the intended directory; (9) Secrets exposure: never log env vars or tokens; use secrets managers in production.