node-js
Safeguard articles tagged "node-js" — guides, analysis, and best practices for software supply chain and application security.
20 articles
NoSQL injection prevention in MongoDB and Mongoose
A single unsanitized query key like $ne can bypass authentication in MongoDB apps — two 2024-2025 Mongoose CVEs show the fix is harder than one middleware package.
Implementing HSTS correctly in Node.js and Express
HSTS has one header and three flags, yet a misconfigured includeSubDomains or a premature preload submission can take a domain offline for months.
Safely Parsing Untrusted URLs in Node.js
Node's legacy url.parse() is deprecated (DEP0169), and parser mismatches between it, the WHATWG URL API, and fetchers are a documented root cause of SSRF and open redirects.
Generating a CycloneDX/SPDX SBOM for a Node.js Application
npm has shipped a native `npm sbom` command since v9 — but a real supply chain program needs more than the CLI default. Here's how to do it right.
Implementing SSL/TLS certificate pinning in Node.js
HTTP Public Key Pinning died in Chrome 67 back in 2018, yet Node.js apps still need pinning for mobile backends and server-to-server calls — here's how to do it without bricking your own API.
How to Audit npm Dependencies for Vulnerabilities
Go beyond npm audit's noisy output — resolve your dependency tree, prioritize by reachability, and fix both direct and transitive vulnerabilities in a Node.js project the right way.
XXE Prevention in JavaScript: Disabling libxmljs noent
How the libxmljs noent option silently reopens XML External Entity (XXE) attacks in Node.js apps, and the exact parser settings that shut it down for good.
Docker Image for Node: Choosing Slim vs Full Builds
The default node image on Docker Hub ships a full Debian userland most services never touch — knowing when slim, alpine, or distroless actually pays off keeps builds smaller without breaking native modules.
Dependency Injection in JavaScript: Security Notes
Dependency injection in JavaScript makes code testable and modular, but the same indirection that helps design can hide security bugs if you're not careful about what gets injected.
JavaScript Vulnerability Scanners: How They Actually Work
A javascript vulnerability scanner has to reason about a dynamically typed, dependency-heavy language — which is why the good ones combine static analysis with dependency-graph lookups rather than relying on either alone.
Fastify Security Posture in 2024
Fastify hit version 5.0 in September 2024 with a slimmer core, a plugin model that encourages correctness, and a security track record that genuinely distinguishes it from the Express crowd. Here is what I have learned auditing Fastify apps this year.
Prototype Pollution in JavaScript: Prevention Guide
Prototype pollution lets attackers modify the behavior of all JavaScript objects by injecting properties into Object.prototype. This guide covers exploitation techniques, real-world impact, and layered defenses.