Threat modelling is the process of identifying potential threats in a prioritized way. When it comes to Node.js and JavaScript there are lots of specific security issues that can arise.
Attack trees Get Access Modify Credentials Learn Password Bypass Access Control Get Access to Database Social Engineering Get Access to DMZ Listen on Transport Layer Guessing Insecure Dependencies
Attack trees Get Access Modify Credentials Learn Password Bypass Access Control Get Access to Database Social Engineering Get Access to DMZ Listen on Transport Layer Guessing Insecure Dependencies Get Access Learn Password Guessing
Classification scheme for characterizing known threats: ● Spoofing of user identity ● Tampering ● Repudiation ● Information disclosure (privacy breach or data leak) ● Denial of service ● Elevation of privilege STRIDE
DAMAGE: If a threat exploit occurs, how much damage will be caused? 0 = None 5 = Individual user data is compromised or affected. 10 = Complete system or data destruction
REPRODUCIBILITY: How easy is it to reproduce the exploit? 0 = Very hard or impossible, even for administrators. 5 = One or two steps required, may need to be an authorized user. 10 = Even a web browser is sufficient, without authentication.
EXPLOITABILITY: What is needed to exploit this threat? 0 = Advanced programming and networking knowledge, with custom or advanced tool. 5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools. 10 = Just a web browser
Strict-Transport-Security enforces secure (HTTP over SSL/TLS) connections to the server X-Frame-Options provides clickjacking protection X-XSS-Protection enables the Cross-site scripting (XSS) filter built into most recent web browsers Content-Security-Policy prevents a wide range of attacks, including Cross-site scripting and other cross-site injections Security HTTP headers
Use the helmet npm package - It automatically adds security headers. If you are building an express application, start the project with adding helmet. Security HTTP headers