Notable Security Incidents
OWASP Top 10
OWASP Proactive Controls
Testing GuidesCheat SheetsResourcesAcknowledgments and credits
This section is a selection of relevant tools for cybersecurity, but check out the following awesome lists in order to get a most complete list of tools:
- git-secrets Prevents you from committing secrets and credentials into git repositories.
- ban-sensitive-files Checks filenames to be committed against a library of filename rules to prevent storing sensitive files in Git. Checks some files for sensitive contents (for example authToken inside .npmrc file).
- eslint-plugin-security ESLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
- tslint-plugin-security TSLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
- safe-regex detect potentially catastrophic exponential-time regular expressions by limiting the star height to 1.
- NodeJSScan A static security code scanner for Node.js applications. Including neat UI that can point where the issue is and how to fix it.
- escape-html Escape string for use in HTML.
- validator An npm library of string validators and sanitizers.
- xss-filters Just sufficient output filtering to prevent XSS!
- mongo-sanitizer sanitizer to prevent MongoDB Operator Injection
- node-release-lines Introspection API for Node.js release metadata. Provides information about release lines, their relative status along with details of each release.
- check-my-headers Fast and simple way to check any HTTP Headers.
- Nsecure Node.js CLI that allow you to deeply analyze the dependency tree of a given npm package or a directory.
- Trust But Verify TBV compares an npm package with its source repository to ensure the resulting artifact is the same.
- lockfile-lint lint lockfiles for improved security and trust policies to keep clean from malicious package injection and other insecure configurations.
- pkgsign A CLI tool for signing and verifying npm and yarn packages.
- npq Safely install packages with npm or yarn by auditing them as part of your install process.
- snyk Snyk helps you find, fix and monitor known vulnerabilities in Node.js npm, Ruby and Java dependencies, both on an ad hoc basis and as part of your CI (Build) system.
- auditjs Audits an NPM package.json file to identify known vulnerabilities using the OSSIndex.
- npm-audit Runs a security audit based on your package.json using npm.
- npm-audit-resolver Manage npm-audit results, including options to ignore specific issues in clear and auditable way.
- gammaray Runs a security audit based on your package.json using the Node.js Security Working Group vulnerability data.
- patch-package Allows app authors to create fixes for npm dependencies (in node_modules) without forking or waiting for merged PRs, by creating and applying patches.
- Helmet Helmet helps you secure your Express apps by setting various HTTP headers.
- csurf Node.js CSRF protection middleware.
- express-limiter Rate limiting middleware for Express applications built on redis.
- limits Simple express/connect middleware to set limit to upload size, set request timeout etc.
- rate-limiter-flexible Fast, flexible and friendly rate limiter by key and protection from DDoS and brute force attacks in process Memory, Cluster, Redis, MongoDb, MySQL, PostgreSQL at any scale. Express and Koa examples included.
- tor-detect-middleware Tor detect middleware for express
- express-mongo-sanitize Middleware to prevent MongoDB Injection