Review: Essential Node.js Security by Liran Tal

In today’s digital age, ensuring the security of web applications has become an increasingly crucial aspect of software development. To broaden my knowledge, I have read “Essential Node.js Security,” written by a renowned GitHub Star and Director of Developer Advocacy at Snyk, Liran Tal. I am now eager to share my thoughts on this comprehensive guide.

Before we start, I have a confession to make. I am still pretty new to both the MEAN and MERN stacks, as I have been using LAMP for the majority of my career. Luckily for me, you don’t have to be a Node.js professional in order to read, understand, and enjoy the book. It truly is one of those books that makes you wonder why you didn’t come across it earlier. I felt the same when I first learned about this book. Essential Node.js Security is a hands-on, thorough guide for securing web applications based on Node.js and ExpressJS. It does not, however, apply only to this ecosystem, as the majority of the topics covered in this book apply to web development in general. 

Let’s first start by introducing the author, Liran Tal. Liran is a software developer and a GitHub Star, and currently he is leading the Developer Advocacy team at Snyk, where he engages developers about open source security in various ways, from picking up the right engineering tools to educating them and making them aware of what the current threats are. I myself was first introduced to Liran’s activities through my friend, Randall Degges, and have been following them ever since.

The Essential Node.js Security book is well structured and divided into 8 chapters. Each of them is talking about different concepts one has to deal with when developing a web. As this book serves as a guide, there is no particular order in which you have to read it. If, for example, you are interested in how Cross-Site Request Forgery (CSRF) works and how to prevent it, you can jump straight to it without the need to read the previous chapters. I would still encourage you to read the whole book, as it will give you a comprehensive overview of the core concepts of web security.

Some of the topics this book covers are:

  • HTTP Header Security
  • Secure Session Management
  • Hardening ExpressJS
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Secure Code Guidelines
  • Injection Flaws
  • Secure Dependency Management

Each chapter consists of an explanation of the concept while highlighting possible risks and providing solutions. Most of the solutions use security packages that can be installed using the npm package manager, and all the source code used in the book is available in the public repository. The author has been super active in regards to getting feedback and improving the contents of the book.

What I personally love is that the book contains a lot of helpful tips as well as fun facts. For example, did you know what CAPTCHA stands for? It’s short for “Completely Automated Public Turing Test To Tell Computers and Humans Apart.” Thank God we have an acronym for it!

Some time ago, I wrote an article about securing cookies. I was more than happy to see that the problems I mentioned in my article, were covered by the book as well. In fact, this book is full of security and programming best practices with the emphacise on validating inputs and proper sanitization.

In short, this is a must-read book for any web developer (both beginners and experienced) interested in secure development, and after reading this book, you should be able to:

  • Understand the security concepts used in the web development
  • Get familiar with the middleware packages used in Express.js to solve the common security issues
  • Understand two of the most frequent web exploits (CSRF and XSS) and how to combat them
  • Secure your code against code injections by proper sanitization
  • Get familiar with secure code guidelines
  • Use state of the art tools for secure dependency management

Btw, Liran is regularly posting cybersecurity and software development tweets and content on his Twitter. If you are interested in these topics, I encourage you to follow him.

If you have read so far, you might want to follow me here on Hashnode. Feel free to connect with me over at LinkedIn or Mastodon.