🟢 Node.js Advanced

What are common Node.js security vulnerabilities and how do you prevent them?

Why Interviewers Ask This

Senior Node.js engineers are expected to reason about architecture, performance, and edge cases. This question separates mid-level from senior candidates by testing deep system-level understanding.

Answer

Common Node.js security vulnerabilities and mitigations: (1) Injection attacks: SQL injection — always use parameterized queries or ORMs, never concatenate user input into SQL; NoSQL injection — validate input types before MongoDB queries; Command injection — never pass user input to exec(); (2) XSS (Cross-Site Scripting): escape/sanitize output, use CSP headers (helmet), avoid res.send(userInput); (3) CSRF: use CSRF tokens or SameSite cookie attribute; (4) Insecure dependencies: run npm audit regularly, use Snyk or Dependabot to detect vulnerabilities; (5) Prototype pollution: validate object shapes, use Object.create(null) for dictionaries, avoid merge with untrusted input; (6) ReDoS (Regex DoS): avoid catastrophic backtracking regexes — use safe-regex to detect; (7) Timing attacks: use crypto.timingSafeEqual() for sensitive comparisons; (8) Directory traversal: validate file paths, use path.resolve() and check the result starts within the intended directory; (9) Secrets exposure: never log env vars or tokens; use secrets managers in production.

Common Mistake

Rushing to answer is a common mistake. Take two seconds to structure your response: definition → example → trade-off. This structure makes complex Node.js answers easy to follow.

Previous

What is connection pooling for HTTP requests in Node.js?

Next

What is the difference between horizontal and vertical scaling in Node.js?

More Node.js Questions

View all →
All Node.js Questions Browse All Topics