Javascript Security

Lucian Crisan💻👍 Lucian Crisan💻👍

Lucian Crisan💻👍

Published Sep 23, 2022
+ Follow

How to secure JavaScript with minimal Steps

step 1: Test for NPM Vulnerabilities

 npm run audit

Common practice is to run NPM command in the CI snippets for each PR to identify vulnerabilities

notes: Github has a bot named Dependabot to scan NPM depend automaticallty

step 2: Automated Upgrading Minor and Patch Version

using the ^ or ~ symbol in front of the NPM packages version Technically will allow you to update with the latest version reducing security risks. Usual Minor and patch versions are both backward compatible. 

//Minor releases: 1 or 1.x or ^1.0.4
{
  boostrap: ^1.0.0 
}

//or

//Patch releases: 1.0 or 1.0.x or ~1.0.4 
{
  boostrap: ~1.0.4 
}


step 3: Check JavaScript files from 3rd-party with Integrity Checks


<script
       src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.1/dist/js/bootstrap.bundle.min.js"
  data-stripped-integrity="sha384-u1OknCvxWvY5kfmNBILK2hRnQC3Pr17a+RTT6rIHI7NnikvbZlHgTPOOmMi466C8"
  crossorigin="anonymous"
></script>

the integrity attribute allows the modern browser to check the fetched file to ensure that the code is never been manipulated. In case is manipulated the file, the browser will block the fetching operation


step 4: Filter JS injections (XSS)

filter the text from the form submitted or before you save it in the database

Recommended by LinkedIn

The Claude Code Source Leak: What 513,000 Lines of Exposed TypeScript Reveal About Agentic Tool Security
The Claude Code Source Leak: What 513,000 Lines of…
Filipe Melo 4 days ago
5 ES6 features you should start using right now
5 ES6 features you should start using right now
Vamsi Dharmavarapu 9 years ago
What's New In Javascript '19
What's New In Javascript '19
Olawale Sunmonu-A 6 years ago

example:

<script></script> => replace "<" with "^lt;" and ">" with "^tl;"

<style></style> => remove HTML tags with a helper function

step 5: Lint working Code

Linters help to keep the quality of code and avoid common mistakes;

Few popular tools:

  • JSLint
  • JSHint
  • ESLint

Tools like SonarCloud can be used to identify code smells and security vulnerabilities with a Sonar report.

step 6: Keep String Mode On

benefits of "strict mode" is on:

Throw errors when "unsafe" actions are taken( gain access and manipulate the global object)

throw errors for the uses case when errors were kept silent

Forbidden the use of reserved words which are used in future versions of ECMAScript

step 7: Minify & Normalize Production Code

As a common practice, in the case of minifying and normalizing Javascript code, it is difficult to exploit the vulnerabilities in the written code.

is not recommended to have a readable source code in the production build, usual will increase the attacks from hackers

To view or add a comment, sign in

More articles by Lucian Crisan💻👍

  • Awsome Frontend Resources - Draft
    Jul 11, 2022

    Awsome Frontend Resources - Draft

    Check if CSS attribute is supported in Browser type: here Layout, CSS newsletter: CSS Layout WTF is Flexbox: here…

    6 Comments
  • Snippet: Vite + React + Vitest + @testing-library
    Mar 31, 2022

    Snippet: Vite + React + Vitest + @testing-library

    how to setup Vite React-ts project using Vitest with @testing-library Requirement node -v 14.18.

    6 Comments
  • Web 3 - projects
    Mar 17, 2022

    Web 3 - projects

    Dapp with login & logout functionality\ Dapp with login & logout functionality Create an NFT 3D Write a basic smart…

  • Migration React => Angular
    Jun 15, 2021

    Migration React => Angular

    Moving from Functional Programming into OOP Notes: Much better, is already with Typescript and separate HTML, CSS from…

Others also viewed

Explore content categories