Safeguard
Tag

nodejs

Safeguard articles tagged "nodejs" — guides, analysis, and best practices for software supply chain and application security.

50 articles

Application Security

Nuxt 3 Security Hardening: CSP, SSR Leakage, and Safe Server Routes

Nuxt 3's server runs as one long-lived Node process — a single misplaced ref() can leak one user's data into another user's response.

Jul 15, 20266 min read
Application Security

Designing a secure Node.js API gateway: auth, rate limits, validation, and signing

CVE-2020-15084 let attackers forge JWTs against express-jwt because one algorithm check was missing — a case study in why gateways need four defense layers, not one.

Jul 15, 20266 min read
Application Security

Secure file uploads in Node.js and Fastify

CWE-22 path traversal climbed three spots to #5 on the 2024 CWE Top 25. Here's how to validate, store, and scan Fastify uploads without trusting the client.

Jul 15, 20266 min read
Application Security

Choosing a secure Node.js web framework: Express, Fastify, Koa, and NestJS compared

None of Express, Fastify, Koa, or NestJS enable security headers, CSRF protection, or input validation by default — the defaults you inherit differ more than you'd think.

Jul 14, 20266 min read
Application Security

Mass assignment in Node, Express, and Mongoose apps

One unfiltered req.body.role field can turn a signup form into an admin-creation endpoint — here's how mass assignment happens in Node and how to stop it.

Jul 14, 20266 min read
Application Security

Why Node.js's vm module is not a security sandbox

Node's own docs warn the vm module isn't a security mechanism — vm2, built on top of it, still shipped two CVSS 9.8 sandbox escapes in 2023.

Jul 14, 20266 min read
Application Security

Preventing path traversal in Node.js file upload and serving code

path.join() doesn't stop ../../etc/passwd — CVE-2024-12905 and Zip Slip show why Node.js needs explicit containment checks, not just path normalization.

Jul 14, 20266 min read
Container Security

Containerizing Node.js apps: an updated Docker best-practices guide

The official node image ships a built-in non-root user, but COPY still writes files as root by default — most Node.js Dockerfiles never actually drop privileges.

Jul 13, 20267 min read
Application Security

Preventing insecure deserialization in Node.js

A 2017 node-serialize flaw let attackers turn a signed cookie into remote code execution — here's how deserialization bugs still slip into Node apps.

Jul 13, 20265 min read
Container Security

Choosing a secure Node.js Docker base image

A stock node:18 image ships at roughly 940MB with 100-200 tracked CVEs; distroless variants land 80% smaller with 0-2. Here's the real tradeoff.

Jul 12, 20267 min read
Application Security

The security implications of Node.js worker_threads

Node.js worker_threads share memory across V8 isolates by design — CVE-2025-23083 (CVSS 7.7) shows even the permission model meant to contain them can be bypassed.

Jul 12, 20266 min read
Security Guides

ReDoS: Regular Expression Denial of Service in JavaScript

A single bad regex can freeze your entire Node.js event loop on one malicious request. Here is how catastrophic backtracking works, how to spot vulnerable patterns, and how to fix them without rewriting everything.

Jul 8, 20266 min read
nodejs — Safeguard Blog