This talk is an extended version of my session at HTML5DevConf. It was held on Friday Nov. 20th 2015 at DevFest Asia / JSConf Asia in Singapore.
The arena of proper authentication and data security standards is often some of the most misunderstood, confusing, and tricky aspects of building any Node site, app, or service, and the fear of data breaches with unencrypted or poorly encrypted data doesn’t make it any better.
We’re going to tackle this field, exploring the proper methodologies for building secure authentication and data security standards. We’ll run through:
- Building on top of OAuth 2 and OpenID Connect
- Node middleware services for authentication
- Working with proper hashing and salting algorithms, and avoiding others, for private user data
- Common auth and security pitfalls and solutions
In the end, we’re going to see that by understanding proper data security and authentication standards, pitfalls, and reasons for choosing one solution over another, we can make intelligent decisions on creating a solid infrastructure to protect our users and data.
Strategies for Landing an Oracle DBA Job as a Fresher
JSConf Asia: Node.js Authentication and Data Security
1. Tim Messerschmidt
Head of Developer Relations, International
Braintree
@Braintree_Dev / @SeraAndroid
Node.js Authentication
and Data Security
#JSConfAsia
23. @Braintree_Dev / @SeraAndroid#JSConfAsia
Exploit Prevalence Detectability Impact Exploitability
Injection Common Medium Very High Easy
Broken Auth Very High Medium Very High Average
XSS Very High Easy Medium Average
Insecure DOR Common Easy Medium Easy
Misconfiguration Common Easy Medium Easy
Exposed Data Common Medium Very High Difficult
ACL Common Medium Medium Easy
CSRF Common Easy Medium Average
Vulnerable Code Very High Difficult Medium Average
Redirects Common Easy Medium Average
47. @Braintree_Dev / @SeraAndroid#JSConfAsia
var helmet = require(‘helmet’);
app.use(helmet.noCache());
app.use(helmet.frameguard());
app.use(helmet.xssFilter());
…
// .. or use the default initialization
app.use(helmet());
Using Helmet with default options
53. @Braintree_Dev / @SeraAndroid#JSConfAsia
var authenticate = function(req, res, next) {
// check the request and modify response
};
app.get('/form', authenticate, function(req, res) {
// assume that the user is authenticated
}
// … or use the middleware for certain routes
app.use('/admin', authenticate);
Writing Custom Middleware
64. @Braintree_Dev / @SeraAndroid#JSConfAsia
Favor security too much over the
experience and you’ll make the
website a pain to use.
smashingmagazine.com/2012/10/26/password-masking-hurt-signup-form