🦄 Node.js Security

~ 5 min read

JS Security Concepts for JavaScript Developers

share this story on
Enhance your development workflow with JavaScript security best practices. Learn about Content Security Policy (CSP) in Nuxt.js, avoiding `eval` and `new Function` with untrusted input, secure DOM manipulation, cookie security, and third-party integration.

Building up on JS security concepts is something application developers would benefit a lot of in terms of awareness and readiness to handle potential vulnerabilities. How do you get started implementing some JavaScript security best practices? Here, I’ll share some JS security concepts to enhance your development workflow.

CSP (Content Security Policy) for Nuxt.js

Specifically referring to Server-Side Rendering with Vue.js, JavaScript developers can leverage the power of Content Security Policy (CSP) to mitigate XSS attacks.

Content Security Policy (CSP) is a powerful security feature that mitigates XSS attacks by restricting the sources from which browsers can load scripts, styles, images, and other resources. Nuxt.js, a popular framework for server-side rendered Vue.js applications, provides built-in support for defining a CSP.

The security risk is that of XSS attacks in which malicious scripts injected from untrusted sources can steal data, redirect users, or deface your application.

Implementing CSP in Nuxt.js

Using the nuxt-security npm package, you can easily implement CSP in your Nuxt.js application:

npm install nuxt-security

Then, add the module to your nuxt.config.js file:

export default {
	modules: ['nuxt-security'],
	security: {
		headers: {
			contentSecurityPolicy: {
				'img-src': ["'self'", 'data:', 'https://www.example.com'],
			},
		},
	},
};

By specifying trusted sources, you instruct the browser to only load resources from those sources, preventing malicious script execution from untrusted origins.

With CSP in place, you can significantly reduce the risk of XSS attacks in your Nuxt.js application.

Avoiding eval and new Function with Untrusted Input:

The eval function and the new Function constructor allow you to execute code dynamically based on a string. However, using them with untrusted user input poses a significant security risk.

The apparent security risk relates to code injection - Untrusted input can contain malicious code that, when evaluated, can execute arbitrary actions on your application or server.

Some developers might rush to implement JS security controls like sanitization and input validation. However, the best practice is to avoid using eval and new Function altogether, especially with untrusted input.

Regardless to code injection, you want to sanitize user input before using it, and confirm that it matches the expected format. Consider safer alternatives for dynamic code execution whenever possible. For example, use template literals for string manipulation or pre-compiled libraries for dynamic functionality.

👋 Just a quick break

I'm Liran Tal and I'm the author of the newest series of expert Node.js Secure Coding books. Check it out and level up your JavaScript

Node.js Secure Coding: Defending Against Command Injection Vulnerabilities
Node.js Secure Coding: Prevention and Exploitation of Path Traversal Vulnerabilities

Secure DOM Manipulation

While interacting with the DOM (Document Object Model) is essential for building user interfaces, directly using innerHTML or innerText properties can introduce XSS vulnerabilities.

XSS attacks produce a security risk in which untrusted user input set directly into the DOM can be interpreted as HTML code, allowing attackers to inject malicious scripts.

With Vue.js or Nuxt.js, the following code snippet demonstrates how JS security is breached by using the v-html directive to render user input directly into the DOM:

<template>
  <div v-html="sanitizedContent"></div>
</template>

<script>
export default {
  data() {
    return {
      userInput: '',
      sanitizedContent: '',
    };
  },
  methods: {
    updateContent() {
      // Sanitize user input before rendering
      this.sanitizedContent = this.sanitize(this.userInput);
    },
  },
};
</script>

To mitigate cross-site scripting vulnerabilities, some of the security controls you should implement are:

  • Use framework APIs to manage your components lifecycle and template’s content.
  • Do not use React’s dangerouslySetInnerHTML or Vue’s v-html directive with untrusted input. If you do, at least ensure you securely sanitize the input before rendering it in the DOM, with a library like DOMPurify. Then make sure it is up to date, because security vulnerabilities are discovered and patched regularly for DOMPurify.

Modern JavaScript frameworks provide secure APIs for DOM manipulation, use them to prevent XSS attacks and to properly adopt JS security best practices such as output encoding.

Cookies are a common way to store user data on the client-side. However, improper cookie management can lead to security vulnerabilities.

The security risks often revolve around the user’s session and insecurely managing cookies could lead to:

  • CSRF (Cross-Site Request Forgery) attacks: An attacker can steal a user’s session cookie and use it to perform unauthorized actions on your application.
  • Session fixation attacks: An attacker can set a session cookie for a user, allowing them to impersonate the user and access their account.
  • Session hijacking: An attacker can steal a user’s session cookie and use it to access the user’s account.

Practice the following security controls to secure your cookies:

  • Secure Flag: Set the Secure flag to ensure cookies are only transmitted over HTTPS connections.
  • HttpOnly Flag: Set the HttpOnly flag to prevent client-side scripts from accessing the cookie, mitigating XSS attacks that attempt to steal cookie data.
  • SameSite Attribute: Set the SameSite attribute to Strict or Lax to restrict how cookies are sent in cross-site requests, reducing the risk of CSRF attacks.

In Nuxt.js, you can manage cookie configuration using the useCookie composable:

<script setup lang="ts">

    const token = useCookie('token', {
        secure: true,
        httpOnly: true,
        sameSite: 'strict',
    });

</script>

Third-Party Integration

Our last JS security concept involves the risks of using third-party libraries from CDNs directly.

While Content Delivery Networks (CDNs) offer performance benefits for loading third-party libraries, using them directly introduces potential security risks.

Man-in-the-Middle (MitM) Attacks, and a compromised supply chain security in the CDN hosting or the underlying source code of the library would allow an attacker to inject malicious scripts into your application or steal sensitive data from your users.

To mitigate these risks, consider the following security controls:

  • Use Subresource Integrity (SRI) to ensure the integrity of third-party scripts loaded from a CDN. SRI allows you to verify that the script’s content has not been tampered with by providing a hash of the expected content.

  • Host third-party libraries locally or use a trusted CDN that supports SRI. By hosting third-party libraries locally, you reduce the risk of supply chain attacks and ensure that the libraries are not tampered with.

  • Regularly update third-party libraries to the latest versions to patch security vulnerabilities. Many libraries release security updates to address known vulnerabilities, so keeping your dependencies up to date is crucial for maintaining a secure application.

Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.

    Built with ConvertKit