Safeguard
Tag

nodejs

Safeguard articles tagged "nodejs" — guides, analysis, and best practices for software supply chain and application security.

50 articles

Application Security

Broken access control in Express: the OWASP #1 risk, fixed with middleware

Broken access control now shows up in 100% of tested applications, per OWASP's 2025 Top 10 — up from 94% in 2021. Here's how to close it in Express.

Jul 8, 20266 min read
Container Security

Docker best practices for Node.js developers in 2026

Multi-stage builds can cut a Node.js image from 1GB+ down to under 150MB — but most teams still ship dev dependencies, root shells, and unscanned base layers to production.

Jul 8, 20267 min read
Open Source Security

Shipping a Dual ESM/CJS npm Package Without Creating a Supply-Chain Hazard

Node's own docs call it a 'dual package hazard' — the same module loaded twice via require() and import can produce two objects that fail instanceof against each other.

Jul 8, 20267 min read
Application Security

Designing Secure Fastify Plugin Boundaries

Fastify's encapsulation model isolates plugin state by default — but one `fastify-plugin` wrapper or a stray `skip-override` symbol can silently punch a hole through every boundary you had.

Jul 8, 20267 min read
Best Practices

Node.js backend architecture patterns for 2026

Node 22 shipped a stable permission model and npm has supported provenance since 2023 — yet the September 2025 Shai-Hulud worm still spread through unpinned installs.

Jul 8, 20267 min read
Application Security

The Security Implications of Misconfigured CORS in Node.js APIs

One line of Express middleware — reflecting Origin back with credentials: true — turns CORS from a browser protection into an authenticated data-exfiltration channel.

Jul 8, 20266 min read
Application Security

CSRF in Node.js: attack mechanics and modern mitigation

Express has never shipped CSRF protection in core, and its most popular middleware, csurf, was archived in 2022 — here's what actually replaces it.

Jul 8, 20267 min read
Application Security

Node.js vs Deno vs Bun: comparing their security models

Only one of the three major JavaScript runtimes denies system access by default — Node's permission model only went stable in v23.5.0, and Bun still has none.

Jul 8, 20266 min read
Application Security

When Node.js sandboxing stops at the C++ boundary

Node's permission model can block a native addon from loading at all — but once it's in, a single buffer overflow in C++ can corrupt the whole process.

Jul 8, 20267 min read
Application Security

The security case for Node.js's newer runtime features

Node's permission model went stable in v23.5.0, the built-in test runner in v20 — both quietly shrink attack surface, but neither is the sandbox teams assume it is.

Jul 8, 20267 min read
Application Security

Preventing log injection in Node.js and Express

A single unescaped newline in req.body can let an attacker forge fake log entries — CWE-117 log injection still hits Node apps that log with plain string concatenation.

Jul 8, 20266 min read
Security Guides

Node.js Docker Security Best Practices

A Node.js container is only as secure as its base image, its user, and its dependency layer. This is a Dockerfile-by-Dockerfile walkthrough of hardening a Node app image — multi-stage builds, non-root, distroless, and layer hygiene.

Jul 7, 20265 min read
nodejs (Page 2) — Safeguard Blog