Safeguard
Tag

node-js

Safeguard articles tagged "node-js" — guides, analysis, and best practices for software supply chain and application security.

20 articles

Application Security

NoSQL injection prevention in MongoDB and Mongoose

A single unsanitized query key like $ne can bypass authentication in MongoDB apps — two 2024-2025 Mongoose CVEs show the fix is harder than one middleware package.

Jul 16, 20267 min read
Application Security

Implementing HSTS correctly in Node.js and Express

HSTS has one header and three flags, yet a misconfigured includeSubDomains or a premature preload submission can take a domain offline for months.

Jul 15, 20266 min read
Application Security

Safely Parsing Untrusted URLs in Node.js

Node's legacy url.parse() is deprecated (DEP0169), and parser mismatches between it, the WHATWG URL API, and fetchers are a documented root cause of SSRF and open redirects.

Jul 13, 20266 min read
Supply Chain Security

Generating a CycloneDX/SPDX SBOM for a Node.js Application

npm has shipped a native `npm sbom` command since v9 — but a real supply chain program needs more than the CLI default. Here's how to do it right.

Jul 8, 20266 min read
Application Security

Implementing SSL/TLS certificate pinning in Node.js

HTTP Public Key Pinning died in Chrome 67 back in 2018, yet Node.js apps still need pinning for mobile backends and server-to-server calls — here's how to do it without bricking your own API.

Jul 8, 20266 min read
Tutorials

How to Audit npm Dependencies for Vulnerabilities

Go beyond npm audit's noisy output — resolve your dependency tree, prioritize by reachability, and fix both direct and transitive vulnerabilities in a Node.js project the right way.

Jul 5, 20265 min read
Industry Analysis

XXE Prevention in JavaScript: Disabling libxmljs noent

How the libxmljs noent option silently reopens XML External Entity (XXE) attacks in Node.js apps, and the exact parser settings that shut it down for good.

Oct 22, 20257 min read
Containers

Docker Image for Node: Choosing Slim vs Full Builds

The default node image on Docker Hub ships a full Debian userland most services never touch — knowing when slim, alpine, or distroless actually pays off keeps builds smaller without breaking native modules.

Sep 3, 20256 min read
Dev Practices

Dependency Injection in JavaScript: Security Notes

Dependency injection in JavaScript makes code testable and modular, but the same indirection that helps design can hide security bugs if you're not careful about what gets injected.

May 14, 20256 min read
AppSec

JavaScript Vulnerability Scanners: How They Actually Work

A javascript vulnerability scanner has to reason about a dynamically typed, dependency-heavy language — which is why the good ones combine static analysis with dependency-graph lookups rather than relying on either alone.

May 6, 20255 min read
Best Practices

Fastify Security Posture in 2024

Fastify hit version 5.0 in September 2024 with a slimmer core, a plugin model that encourages correctness, and a security track record that genuinely distinguishes it from the Express crowd. Here is what I have learned auditing Fastify apps this year.

Sep 20, 20247 min read
Application Security

Prototype Pollution in JavaScript: Prevention Guide

Prototype pollution lets attackers modify the behavior of all JavaScript objects by injecting properties into Object.prototype. This guide covers exploitation techniques, real-world impact, and layered defenses.

Apr 5, 20246 min read
node-js — Safeguard Blog