nodejs koa secure deployment

Preface

Node.js is a very popular event-driven JavaScript running environment. It is characterized by efficiency, scalability, and cross-platform. Koa is a lightweight Node.js web framework that uses the ES6 generator to make asynchronous code writing more concise. In actual applications, we often need to deploy Node.js applications. This article will introduce in detail how to deploy Koa applications safely.

HTTPS

In a production environment, we should use the HTTPS protocol to ensure data security. So when deploying a Koa application, we must first make the application support HTTPS.

First, we need a certificate for the domain name. You can use Let’s Encrypt to implement a free HTTPS certificate. For specific steps, please refer to this article: [Use Let's Encrypt to enable HTTPS for Node.js applications for free](https://github.com/chemdemo/chemdemo.github.io/issues/11). After the certificate application is completed, we need to add the following code to the application startup script:

const https = require('https');
const fs = require('fs');
const Koa = require('koa');
const app = new Koa();

const options = {
  key: fs.readFileSync('/etc/ssl/example.com.key'),
  cert: fs.readFileSync('/etc/ssl/example.com.crt'),
};

https.createServer(options, app.callback()).listen(3000, () => {
  console.log('HTTPS Server listening on port 3000');
});

where /etc/ssl/example.com.key is the private key file path of the certificate , /etc/ssl/example.com.key is the public key file path of the certificate. https.createServer method can create an HTTPS server based on certificate configuration.

Preventing DDos attacks

DDos (distributed denial of service) attacks are a common means of network attacks. Attackers will use various methods to subject the server to a large number of requests, causing the server to become unavailable. use.

In order to prevent DDos attacks, we can use the following methods:

Limit request traffic

Use the middleware koa-ratelimit to limit the request frequency of the same IP.

const Koa = require('koa');
const rateLimit = require('koa-ratelimit');
const app = new Koa();

app.use(
  rateLimit({
    driver: 'memory',
    db: new Map(),
    duration: 60000, // 1分钟限制一次
    errorMessage: '请求次数过于频繁，请稍后再试。',
    id: (ctx) => ctx.ip,
    headers: {
      remaining: 'Rate-Limit-Remaining',
      reset: 'Rate-Limit-Reset',
      total: 'Rate-Limit-Total',
    },
    max: 100, // 一分钟最多请求 100 次
    disableHeader: false,
  })
);

Verify the source of the request

Using koa-helmet middleware can add some security headers to strengthen security, including CSP (Content Security Policy), DNS Prefetch control, XSS filtering, etc. At the same time, we can use third-party libraries such as geoip-lite to obtain the IP region of the request source and restrict access based on the region.

const Koa = require('koa');
const helmet = require('koa-helmet');
const geoip = require('geoip-lite');
const app = new Koa();

app.use(helmet({ contentSecurityPolicy: false }));
app.use((ctx, next) => {
  const ip = ctx.request.headers['x-forwarded-for'] || ctx.request.ip;
  const geo = geoip.lookup(ip);
  const allowedCountries = ['CN', 'US', 'JP'];
  if (!geo || allowedCountries.indexOf(geo.country) === -1) {
    ctx.throw(403, 'Access Denied');
  }
  return next();
});

Use DDos protection services provided by service providers

Using third-party DDos protection services, such as the security acceleration platform provided by Alibaba Cloud, can effectively defend against large-scale DDos attacks.

Maintaining system security

The practice of security maintenance should not just stop at preventing DDos attacks, but should cover the security design of the entire system architecture.

In Node.js applications, there are some common types of vulnerabilities, such as code injection, cross-site scripting attacks (XSS), cross-site request forgery (CSRF), etc.

In order to effectively ensure system security, we can take the following measures:

Use CSP

CSP is the abbreviation of content security policy. Using CSP can effectively prevent code Injection attacks, as well as some XSS attacks.

In Koa applications, you can use koa-helmet to set CSP policies.

const Koa = require('koa');
const helmet = require('koa-helmet');
const app = new Koa();

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "'unsafe-inline'", 'cdn.example.com'],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", 'cdn.example.com'],
      connectSrc: [
        "'self'",
        'api.example.com',
        'api.example.net',
        'analytics.google.com',
      ],
      fontSrc: ["'self'", 'cdn.example.com'],
    },
  })
);

In this example, we ban all scripts and styles except ourselves through CSP, and at the same time relax the authoritative and trusted CDN domain name and Google Analytics domain name. We can also specify a URL through the reportUri attribute. When a CSP violation occurs, a report will be sent to this URL for subsequent processing.

Using Helmet

In addition to CSP, koa-helmet also provides many other security header options, which can greatly improve the security of Koa applications.

const Koa = require('koa');
const helmet = require('koa-helmet');
const app = new Koa();

app.use(helmet());

After using the helmet middleware, we do not need to set the configuration items of each security header, but use the adjusted default configuration items. This default configuration item includes CORS control, XSS filtering, HSTS policy, HTTP cache control, etc., which can greatly improve application security.

Using koa-usual-bundle

koa-usual-bundle is a general configuration collection for Node.js security development, which contains many common vulnerability prevention solutions.

npm install --save koa-usual-bundle

After installation, before starting the Koa application, you need to initialize it with the configuration of koa-usual-bundle:

const Koa = require('koa');
const usual = require('koa-usual-bundle');
const app = new Koa();
usual(app);

In this example, we will use the app of usual and Koa Instances are bound together to add security to Koa applications.

Summary

In a production environment, security is an important issue for Node.js applications. This article introduces how to deploy Koa applications securely, including using HTTPS to protect data, preventing DDos attacks, taking measures to maintain system security, etc. Although these measures are not foolproof, by taking these measures, you can maximize the security of your application.

The above is the detailed content of nodejs koa secure deployment. For more information, please follow other related articles on the PHP Chinese website!