Cybersecurity Handbook
Welcome
About Cybersecurity
Notable Security Incidents
OWASP Top 10
Attacks explained
Security Design
OWASP Proactive Controls
HTTP Headers
Best practices
ToolingVersion ControlNodejsNPMExpress
Checklists
Testing GuidesCheat SheetsResourcesAcknowledgments and credits

Tooling

This section is a selection of relevant tools for cybersecurity, but check out the following awesome lists in order to get a most complete list of tools:

Version Control

Leak prevention

  • git-secrets Prevents you from committing secrets and credentials into git repositories.
  • ban-sensitive-files Checks filenames to be committed against a library of filename rules to prevent storing sensitive files in Git. Checks some files for sensitive contents (for example authToken inside .npmrc file).

Nodejs

Static Code Analysis

  • eslint-plugin-security ESLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
  • tslint-plugin-security TSLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
  • safe-regex detect potentially catastrophic exponential-time regular expressions by limiting the star height to 1.
  • vuln-regex-detector This module lets you check a regex for vulnerability. In JavaScript, regular expressions (regexes) can be "vulnerable": susceptible to catastrophic backtracking. If your application is used on the client side, this can be a performance issue. On the server side, this can expose you to Regular Expression Denial of Service (REDOS).
  • NodeJSScan A static security code scanner for Node.js applications. Including neat UI that can point where the issue is and how to fix it.

Input Validation & Output Encoding

  • node-esapi node-esapi is a minimal port of the ESAPI4JS (Enterprise Security API for JavaScript) encoder.
  • escape-html Escape string for use in HTML.
  • js-string-escape Escape any string to be a valid JavaScript string literal between double quotes or single quotes.
  • validator An npm library of string validators and sanitizers.
  • xss-filters Just sufficient output filtering to prevent XSS!
  • mongo-sanitizer sanitizer to prevent MongoDB Operator Injection

Vulnerabilities and Security Advisories

  • node-release-lines Introspection API for Node.js release metadata. Provides information about release lines, their relative status along with details of each release.
  • check-my-headers Fast and simple way to check any HTTP Headers.
  • is-website-vulnerable finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.

NPM

Static Code Analysis

  • Nsecure Node.js CLI that allow you to deeply analyze the dependency tree of a given npm package or a directory.
  • Trust But Verify TBV compares an npm package with its source repository to ensure the resulting artifact is the same.
  • lockfile-lint lint lockfiles for improved security and trust policies to keep clean from malicious package injection and other insecure configurations.
  • pkgsign A CLI tool for signing and verifying npm and yarn packages.

Vulnerabilities and Security Advisories

  • npq Safely install packages with npm or yarn by auditing them as part of your install process.
  • snyk Snyk helps you find, fix and monitor known vulnerabilities in Node.js npm, Ruby and Java dependencies, both on an ad hoc basis and as part of your CI (Build) system.
  • auditjs Audits an NPM package.json file to identify known vulnerabilities using the OSSIndex.
  • npm-audit Runs a security audit based on your package.json using npm.
  • npm-audit-resolver Manage npm-audit results, including options to ignore specific issues in clear and auditable way.
  • gammaray Runs a security audit based on your package.json using the Node.js Security Working Group vulnerability data.
  • patch-package Allows app authors to create fixes for npm dependencies (in node_modules) without forking or waiting for merged PRs, by creating and applying patches.

Express

Security middleware

  • Helmet Helmet helps you secure your Express apps by setting various HTTP headers.
  • csurf Node.js CSRF protection middleware.
  • express-limiter Rate limiting middleware for Express applications built on redis.
  • limits Simple express/connect middleware to set limit to upload size, set request timeout etc.
  • rate-limiter-flexible Fast, flexible and friendly rate limiter by key and protection from DDoS and brute force attacks in process Memory, Cluster, Redis, MongoDb, MySQL, PostgreSQL at any scale. Express and Koa examples included.
  • tor-detect-middleware Tor detect middleware for express
  • express-mongo-sanitize Middleware to prevent MongoDB Injection