Safeguard
Tag

nodejs

Safeguard articles tagged "nodejs" — guides, analysis, and best practices for software supply chain and application security.

50 articles

Application Security

Preventing SQL injection in Node.js applications

CWE-89 is a 25-year-old bug class, but Node's template literals make it trivially easy to reintroduce in mysql2, pg, and even Sequelize's raw-query escape hatch.

Jul 7, 20267 min read
Application Security

Preventing SSRF in Node.js applications

A single unvalidated URL in a fetch or axios call can let an attacker reach 169.254.169.254 and steal cloud credentials — as the 2019 Capital One breach showed.

Jul 7, 20266 min read
Security Guides

JavaScript Dependency Vulnerability Scanning: Beyond npm audit

npm audit tells you a CVE exists somewhere in your tree — not whether it can hurt you. Here is how dependency scanning really works, why reachability changes everything, and how to build a signal-rich program.

Jul 6, 20266 min read
Security Guides

Secrets Management in Node.js: From .env to Zero-Standing-Credentials

Hardcoded tokens and committed .env files are still the fastest way to lose a cloud account. Here is a maturity ladder for Node.js secrets — from native --env-file to managed vaults and short-lived OIDC credentials.

Jul 5, 20265 min read
Security Guides

Securing Express Applications: A Layered Playbook

Express gives you almost no security by default. This playbook layers the middleware, headers, rate limits, session hardening, and input validation that turn a bare Express app into a defensible one — with Express 5 in mind.

Jul 4, 20265 min read
Security Guides

How to Prevent Prototype Pollution in JavaScript

Prototype pollution turns a single crafted JSON key into process-wide corruption — and it has escalated to RCE in real Node.js apps. Here is how the attack works and four layers of defense that stop it.

Jul 4, 20265 min read
Security Guides

Preventing SSRF in Node.js Applications

Server-Side Request Forgery is the bug that turns a harmless URL field into a doorway to your cloud metadata service. Here is how SSRF works in Node.js and how to shut it down with allowlists and DNS-safe validation.

Jul 3, 20266 min read
Security Guides

The npm Supply Chain Security Guide

How the npm supply chain actually gets attacked — install scripts, maintainer takeovers, typosquatting, and dependency confusion — and a phased program to defend it from developer laptop to production.

Jul 2, 20265 min read
Security Guides

Express.js Security Guide (2026)

Express is the default web framework for Node.js — and a small, deep dependency tree that has produced open-redirect, XSS, and ReDoS CVEs. Here is how to run Express safely in 2026.

Jul 2, 20266 min read
Security Guides

JavaScript Security: The Common Pitfalls That Keep Burning Teams

The recurring JavaScript security mistakes that show up in real breaches — unsafe deserialization, injection sinks, prototype pollution, and trusting client input — each with vulnerable and fixed code.

Jul 2, 20265 min read
Security Guides

Node.js Security Best Practices for 2026

A practical, runtime-aware checklist for hardening Node.js services in 2026 — from the built-in permission model and secure defaults to dependency risk, secrets, and reachability-based triage.

Jul 1, 20266 min read
Application Security

Building a secure GraphQL API with Node.js

A practical guide to securing Node.js GraphQL APIs: query complexity limits, field-level authorization, injection-safe resolvers, and CSRF hardening.

Apr 27, 20267 min read
nodejs (Page 3) — Safeguard Blog