Node.js security series

In this series, Sam Roberts, a Node.js collaborator and a member of the Node.js Technical Steering Committee and the Security Working Group, talks about security in Node.js and covers what you need to know to build and deploy Node.js applications securely.

To get started, click on a card below.

Dealing with dependencies


Learn about auditing dependencies:

  • During development
  • During CI/CD
  • After deployment

Learn about:

  • Common misconceptions
  • When to update
  • Tools for updating

Avoiding arbitrary code execution vulnerabilities when using Node.js child process APIs


Learn about:

  • Arbitrary code execution problems
  • Why not to use git-url
  • How to handle arbitrary code execution
  • Real-world examples

TLS and Node.js


Learn about:

  • Enabling TLS1.3
  • Ensuring your session resumption code is TLS1.3-capable
  • Being aware of a coding pattern that can prevent session ticket transmission

Learn about:

  • How his team is working to make it easier to report, fix, and publicize vulnerabilities
  • Cryptography and how it relates to OpenSSL
  • Why people should be using TLS 1.3

Learn about:

  • Assured forward secrecy
  • No RSA key agreement
  • Safer cipher options
  • Safer cipher modes