Building Secure Applications with JavaScript and Typescript Security Best Practices

Kinanee Samson - Jan 5 '23 - - Dev Community

The use of JavaScript and Typescript for web development is becoming increasingly popular due to the flexibility and scalability that each language offers. Everybody is using Typescript because of the obvious benefits that comes with the tool, however, with the rise in JavaScript and Typescript usage, security problems have been on the rise as well. If you give people too much power be ready to watch them cause a lot oof damage with it. To ensure the safety of your web applications, it’s important to adhere to the best practices for security.

We will go over some of the best practices that you could employ to secure your Javascript/Typescript application from malicious users, here's a brief summary of what we will discuss;

  • Keep your application up to date.
  • Principle of less privilege.
  • Use Strict Mode
  • Validate all user input.
  • Encrypt sensitive information
  • Rate limiting Requests

Keep your application up to date

One of the most important security best practices you could employ is keeping your code up to date. This is the simplest you can do to ensure that your application is secure. This includes making sure you’re using the latest version of JavaScript and Typescript and that you’re using the latest security patches. You should also regularly check for any known vulnerabilities in the libraries you’re using and also updating them to the latest versions.

Principle of less privilege.

Another important security practice is to use the least privileged access to resources. This involves granting users the least amount of access necessary to perform their tasks, it helps to limit the potential damage that could be caused if an attack were to occur, there's no need to expose more data than is required, this works very well with relational databases especially one where data is properly normalized, this can also be achieved easily if you are using GraphQL, you only fetch the required fields while others are hidden away safely.

Use Strict Mode

I highly discourage the use of Javascript for application development, however if you feel the need to do so then you should always ensure that you keep strict mode on when developing with JavaScript. Javascript's strict mode is a way to opt in to a restricted variant of JavaScript, thereby implicitly opting-out of "sloppy mode". In strict mode, you cannot use a variable/function before you declare it, you cannot extend an an inextensible object with new properties, you cannot also assign a value to a non writeable data e.g Nan or undefined read up more strict mode

Validate all user input.

Additionally, you should be sure to properly validate user input. This helps to prevent malicious code from being executed on the server. This cannot be overstated, ensure that you validate all inputs that you are collecting from a user, don't make the dumb assumption that all your users are good and they all like you! When it comes to handling user input you should handle validation as if your app was going to be hacked every single time a user was submitting an input, there are several data validation library out there but Zod is making waves right now and for a good reason!

Encrypt sensitive information

You should also be sure to use secure encryption algorithms and protocols to protect any sensitive data that is being transmitted. Additionally, it’s important to follow the principle of least privilege when it comes to user authentication. All user details that shouldn't see the eye of hacker should be encrypted or hashed! Passwords, credit card numbers and all sensitive information that could cause a user serious damage if breached should be encrypted, this way even if there's a leak the hackers will have to find a way to crack the hashed or encrypted data, you can use libraries like crypto-js for advanced data encryption or you can use bcrypt for simple password encryption/hashing.

Rate limiting Requests

Rate limiting is a technique used to restrict the frequency of user requests to a web service or application. This can be done to reduce the strain on the server and also to prevent malicious bots from taking actions such as scraping, brute force, credential stuffing, or denial of service (DoS). By setting a limit on the number of requests allowed, rate limiting can help protect sites from malicious attacks. The application, rather than the web server, is where rate limiting usually occurs. Usually, rate limiting is done by recording the IP addresses from where the requests are sent and monitoring the amount of time between each request.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .