nodejs
Safeguard articles tagged "nodejs" — guides, analysis, and best practices for software supply chain and application security.
50 articles
Preventing SQL injection in Node.js applications
CWE-89 is a 25-year-old bug class, but Node's template literals make it trivially easy to reintroduce in mysql2, pg, and even Sequelize's raw-query escape hatch.
Preventing SSRF in Node.js applications
A single unvalidated URL in a fetch or axios call can let an attacker reach 169.254.169.254 and steal cloud credentials — as the 2019 Capital One breach showed.
JavaScript Dependency Vulnerability Scanning: Beyond npm audit
npm audit tells you a CVE exists somewhere in your tree — not whether it can hurt you. Here is how dependency scanning really works, why reachability changes everything, and how to build a signal-rich program.
Secrets Management in Node.js: From .env to Zero-Standing-Credentials
Hardcoded tokens and committed .env files are still the fastest way to lose a cloud account. Here is a maturity ladder for Node.js secrets — from native --env-file to managed vaults and short-lived OIDC credentials.
Securing Express Applications: A Layered Playbook
Express gives you almost no security by default. This playbook layers the middleware, headers, rate limits, session hardening, and input validation that turn a bare Express app into a defensible one — with Express 5 in mind.
How to Prevent Prototype Pollution in JavaScript
Prototype pollution turns a single crafted JSON key into process-wide corruption — and it has escalated to RCE in real Node.js apps. Here is how the attack works and four layers of defense that stop it.
Preventing SSRF in Node.js Applications
Server-Side Request Forgery is the bug that turns a harmless URL field into a doorway to your cloud metadata service. Here is how SSRF works in Node.js and how to shut it down with allowlists and DNS-safe validation.
The npm Supply Chain Security Guide
How the npm supply chain actually gets attacked — install scripts, maintainer takeovers, typosquatting, and dependency confusion — and a phased program to defend it from developer laptop to production.
Express.js Security Guide (2026)
Express is the default web framework for Node.js — and a small, deep dependency tree that has produced open-redirect, XSS, and ReDoS CVEs. Here is how to run Express safely in 2026.
JavaScript Security: The Common Pitfalls That Keep Burning Teams
The recurring JavaScript security mistakes that show up in real breaches — unsafe deserialization, injection sinks, prototype pollution, and trusting client input — each with vulnerable and fixed code.
Node.js Security Best Practices for 2026
A practical, runtime-aware checklist for hardening Node.js services in 2026 — from the built-in permission model and secure defaults to dependency risk, secrets, and reachability-based triage.
Building a secure GraphQL API with Node.js
A practical guide to securing Node.js GraphQL APIs: query complexity limits, field-level authorization, injection-safe resolvers, and CSRF hardening.