What are common Node.js security vulnerabilities and how do you prevent them?
Answer
Common Node.js security vulnerabilities and mitigations: (1) Injection attacks: SQL injection — always use parameterized queries or ORMs, never concatenate user input into SQL; NoSQL injection — validate input types before MongoDB queries; Command injection — never pass user input to exec(); (2) XSS (Cross-Site Scripting): escape/sanitize output, use CSP headers (helmet), avoid res.send(userInput); (3) CSRF: use CSRF tokens or SameSite cookie attribute; (4) Insecure dependencies: run npm audit regularly, use Snyk or Dependabot to detect vulnerabilities; (5) Prototype pollution: validate object shapes, use Object.create(null) for dictionaries, avoid merge with untrusted input; (6) ReDoS (Regex DoS): avoid catastrophic backtracking regexes — use safe-regex to detect; (7) Timing attacks: use crypto.timingSafeEqual() for sensitive comparisons; (8) Directory traversal: validate file paths, use path.resolve() and check the result starts within the intended directory; (9) Secrets exposure: never log env vars or tokens; use secrets managers in production.
Previous
What is connection pooling for HTTP requests in Node.js?
Next
What is the difference between horizontal and vertical scaling in Node.js?
More Node.js Questions
View all →- Advanced How does Node.js handle concurrency without multiple threads?
- Advanced What is the Node.js memory model and how does garbage collection work?
- Advanced What are memory leaks in Node.js and how do you detect them?
- Advanced What is the difference between process.exit() and throwing an uncaught exception?
- Advanced What is the N+1 query problem and how do you solve it in Node.js?