Why Cyber Criminals Wish You Won’t Read This: Protecting Your Website from Cyber Threats
Hi there! I’ve been working as a JavaScript developer for years now, and I’ve spent quite a bit of that time getting to grips with web security. I’m not going to sugarcoat it, it can be tough, but it’s also an essential part of what we do.
I’m sharing this guide with you based on my own experiences. I’ve made mistakes and learned lessons, and now I hope those lessons can help you. Security might seem daunting at first, but don’t hesitate to ask questions or seek help. No one gets it perfect from the start. Let’s get into it.
HTTPS and Secure Communications
The first step towards securing your website is making sure that your users’ data is transmitted securely. HTTPS, which stands for HyperText Transfer Protocol Secure, encrypts data sent between your users and your website.
If you’re using JavaScript for server-side scripting with Node.js, implementing HTTPS is relatively straightforward:
var https = require('https');
var fs = require('fs');
var options = {
key: fs.readFileSync('test/fixtures/keys/agent2-key.pem'),
cert: fs.readFileSync('test/fixtures/keys/agent2-cert.pem')
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.end("Welcome to the secure side of the web!");
}).listen(8000);Remember to replace ‘test/fixtures/keys/agent2-key.pem’ and ‘test/fixtures/keys/agent2-cert.pem’ with the file paths of your SSL certificate and private key, respectively. Now, your Node.js app will be able to handle HTTPS requests.
SQL Injection
SQL Injection is a type of security threat where an attacker could inject malicious SQL code using the input fields on your website. This could potentially allow them to manipulate your database.
Using Parameterized queries or prepared statements helps mitigate this risk. Here’s an example using Node.js and MySQL:
var mysql = require('mysql');
var con = mysql.createConnection({
host: "localhost",
user: "yourusername",
password: "yourpassword",
database: "mydb"
});
con.connect(function(err) {
if (err) throw err;
console.log("Connected!");
// create a parameterized query
var sql = "SELECT * FROM customers WHERE address = ?";
var inserts = ['Mountain 21'];
sql = mysql.format(sql, inserts);
con.query(sql, function (err, result) {
if (err) throw err;
console.log(result);
});
});Cross Site Scripting (XSS)
Cross Site Scripting attacks occur when an attacker is able to inject a malicious script into your web page, which can then run in other users’ browsers.
To prevent XSS attacks, always validate and sanitize inputs. Do not include HTML tags in user inputs. For example, you can sanitize HTML input in Express.js using the “express-validator” middleware:
var express = require('express');
var { check, validationResult } = require('express-validator');
var app = express();
app.use(express.json());
app.post('/user', [
check('username').trim().escape()
], function(req, res) {
// Check for validation errors
const errors = validationResult(req);
// If there are errors, return them in the response
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// No errors, continue with processing
// Example: just send a success message
res.json({ message: "Data processed successfully" });
});Conclusion
Web security is a vast and ever-changing field, with new threats and solutions appearing all the time. But with some solid fundamentals in place, we can build and protect our websites against common attacks.
As developers, we bear the responsibility of not just building functional and aesthetically pleasing websites, but also securing the data and privacy of our users. I hope this article has been helpful in understanding and implementing some of these basic security measures.
Let’s keep learning, keep questioning, and keep our web spaces safe.
Thank you for reading until the end. Please consider following the writer and this publication. Visit Stackademic to find out more about how we are democratizing free programming education around the world.
Web Security Basics
HTTPS and Secure Communications
SQL Injection
Cross Site Scripting (XSS)
Node.js with Express
Enjoyed the read? For more on Web Development, JavaScript, Next.js, Cybersecurity, and Blockchain, check out my other articles here:
If you have questions or feedback, don’t hesitate to reach out at [email protected] or in the comments section.
[Disclosure: Every article I pen is a fusion of my ideas and the supportive capabilities of artificial intelligence. While AI assists in refining and elaborating, the core thoughts and concepts stem from my perspective and knowledge. To know more about my creative process, read this article.]