nodejs
Safeguard articles tagged "nodejs" — guides, analysis, and best practices for software supply chain and application security.
50 articles
Nuxt 3 Security Hardening: CSP, SSR Leakage, and Safe Server Routes
Nuxt 3's server runs as one long-lived Node process — a single misplaced ref() can leak one user's data into another user's response.
Designing a secure Node.js API gateway: auth, rate limits, validation, and signing
CVE-2020-15084 let attackers forge JWTs against express-jwt because one algorithm check was missing — a case study in why gateways need four defense layers, not one.
Secure file uploads in Node.js and Fastify
CWE-22 path traversal climbed three spots to #5 on the 2024 CWE Top 25. Here's how to validate, store, and scan Fastify uploads without trusting the client.
Choosing a secure Node.js web framework: Express, Fastify, Koa, and NestJS compared
None of Express, Fastify, Koa, or NestJS enable security headers, CSRF protection, or input validation by default — the defaults you inherit differ more than you'd think.
Mass assignment in Node, Express, and Mongoose apps
One unfiltered req.body.role field can turn a signup form into an admin-creation endpoint — here's how mass assignment happens in Node and how to stop it.
Why Node.js's vm module is not a security sandbox
Node's own docs warn the vm module isn't a security mechanism — vm2, built on top of it, still shipped two CVSS 9.8 sandbox escapes in 2023.
Preventing path traversal in Node.js file upload and serving code
path.join() doesn't stop ../../etc/passwd — CVE-2024-12905 and Zip Slip show why Node.js needs explicit containment checks, not just path normalization.
Containerizing Node.js apps: an updated Docker best-practices guide
The official node image ships a built-in non-root user, but COPY still writes files as root by default — most Node.js Dockerfiles never actually drop privileges.
Preventing insecure deserialization in Node.js
A 2017 node-serialize flaw let attackers turn a signed cookie into remote code execution — here's how deserialization bugs still slip into Node apps.
Choosing a secure Node.js Docker base image
A stock node:18 image ships at roughly 940MB with 100-200 tracked CVEs; distroless variants land 80% smaller with 0-2. Here's the real tradeoff.
The security implications of Node.js worker_threads
Node.js worker_threads share memory across V8 isolates by design — CVE-2025-23083 (CVSS 7.7) shows even the permission model meant to contain them can be bypassed.
ReDoS: Regular Expression Denial of Service in JavaScript
A single bad regex can freeze your entire Node.js event loop on one malicious request. Here is how catastrophic backtracking works, how to spot vulnerable patterns, and how to fix them without rewriting everything.