Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,300 --> 00:00:04,156 So, everything that we did in this section so far 2 00:00:04,156 --> 00:00:06,514 was to secure all application 3 00:00:06,514 --> 00:00:10,320 and our users' data as good as possible. 4 00:00:10,320 --> 00:00:12,290 And I talked about a lot of things 5 00:00:12,290 --> 00:00:14,170 we can do to achieve that. 6 00:00:14,170 --> 00:00:16,430 But all of this information was kind of 7 00:00:16,430 --> 00:00:18,860 spread out all over these lectures. 8 00:00:18,860 --> 00:00:21,311 So I decided to create this quick summary 9 00:00:21,311 --> 00:00:24,717 with many best practices that we already implemented 10 00:00:24,717 --> 00:00:26,960 and that we're still gonna implement 11 00:00:26,960 --> 00:00:28,860 in the rest of this section. 12 00:00:28,860 --> 00:00:32,100 Because security is so extremely important, 13 00:00:32,100 --> 00:00:36,010 but unfortunately, many courses don't address it enough. 14 00:00:36,010 --> 00:00:37,490 Now, I'm also not turning this 15 00:00:37,490 --> 00:00:40,660 Node.js course into a security course. 16 00:00:40,660 --> 00:00:44,170 There are better courses and experts for that. 17 00:00:44,170 --> 00:00:46,490 But I will show you a couple of things that 18 00:00:46,490 --> 00:00:51,490 you can do to properly secure your applications and data. 19 00:00:51,650 --> 00:00:54,200 And I'm gonna look at a couple of common attacks 20 00:00:54,200 --> 00:00:57,010 and give some suggestions to prevent them. 21 00:00:57,010 --> 00:01:00,780 And first up, we have the event of a compromised database, 22 00:01:00,780 --> 00:01:04,980 meaning that an attacker gained access to our database. 23 00:01:04,980 --> 00:01:07,970 Of course, this is an extremely severe problem, 24 00:01:07,970 --> 00:01:10,430 but to prevent even bigger problems, 25 00:01:10,430 --> 00:01:14,550 we must always encrypt passwords and password reset tokens 26 00:01:14,550 --> 00:01:17,660 just like we did in the videos in this section. 27 00:01:17,660 --> 00:01:19,800 This way, the attacker can't at least 28 00:01:19,800 --> 00:01:24,320 steal our users' passwords and also can't reset them. 29 00:01:24,320 --> 00:01:26,720 Now, about actually preventing attacks, 30 00:01:26,720 --> 00:01:29,110 let's talk about the brute force attack 31 00:01:29,110 --> 00:01:32,290 where the attacker basically tries to guess a password 32 00:01:32,290 --> 00:01:35,660 by trying millions and millions of random passwords 33 00:01:35,660 --> 00:01:37,850 until they find the right one. 34 00:01:37,850 --> 00:01:42,160 And what we can do is to make the login request really slow. 35 00:01:42,160 --> 00:01:44,586 And the bcrypt package that we're using 36 00:01:44,586 --> 00:01:47,020 actually does just that. 37 00:01:47,020 --> 00:01:50,180 Another strategy is to implement rate limiting, 38 00:01:50,180 --> 00:01:52,340 which limits the number of requests 39 00:01:52,340 --> 00:01:54,640 coming from one single IP. 40 00:01:54,640 --> 00:01:56,330 And this one we're gonna implement 41 00:01:56,330 --> 00:01:58,460 in one of the next videos. 42 00:01:58,460 --> 00:02:01,690 Also, a nice strategy is to actually implement 43 00:02:01,690 --> 00:02:05,470 a maximum number of login attempts for each user. 44 00:02:05,470 --> 00:02:07,660 For example, we could make it so that 45 00:02:07,660 --> 00:02:10,539 after 10 failed attempts, user would have to 46 00:02:10,539 --> 00:02:14,020 wait one hour until he can try again. 47 00:02:14,020 --> 00:02:16,360 Now, I'm not going to implement this functionality 48 00:02:16,360 --> 00:02:18,760 in this section, but please feel free 49 00:02:18,760 --> 00:02:21,340 to experiment with it on your own. 50 00:02:21,340 --> 00:02:24,350 It's probably a really cool learning experience 51 00:02:24,350 --> 00:02:26,120 to code this up by yourself, 52 00:02:26,120 --> 00:02:27,890 and it's actually not that hard. 53 00:02:27,890 --> 00:02:29,210 All right. 54 00:02:29,210 --> 00:02:32,580 Next up, there is the cross-site scripting attack, 55 00:02:32,580 --> 00:02:34,020 where the attacker tries to 56 00:02:34,020 --> 00:02:38,430 inject scripts into our page to run his malicious code. 57 00:02:38,430 --> 00:02:41,280 On the clients' side, this is especially dangerous 58 00:02:41,280 --> 00:02:44,810 because it allows the attacker to read the local storage, 59 00:02:44,810 --> 00:02:46,500 which is the reason why we should 60 00:02:46,500 --> 00:02:50,360 never ever store the JSON web token in local storage. 61 00:02:50,360 --> 00:02:54,110 Instead, it should be stored in an HTTP-only cookie 62 00:02:54,110 --> 00:02:55,950 that makes it so that the browser can 63 00:02:55,950 --> 00:02:58,110 only receive and send the cookie 64 00:02:58,110 --> 00:03:01,400 but cannot access or modify it in any way. 65 00:03:01,400 --> 00:03:04,360 And so, that then makes it impossible for any attacker 66 00:03:04,360 --> 00:03:08,460 to steal the JSON web token that is stored in the cookie. 67 00:03:08,460 --> 00:03:11,590 Again, we're implementing this in a second. 68 00:03:11,590 --> 00:03:15,780 Now, on the backend side, in order to prevent XSS attacks, 69 00:03:15,780 --> 00:03:18,170 we should sanitize user input data 70 00:03:18,170 --> 00:03:20,660 and set some special HTTP headers 71 00:03:20,660 --> 00:03:24,470 which make these attacks a bit more difficult to happen. 72 00:03:24,470 --> 00:03:27,040 And Express doesn't come with these best practices 73 00:03:27,040 --> 00:03:29,560 out of the box, so we're gonna use middleware 74 00:03:29,560 --> 00:03:31,713 to set all of these special headers. 75 00:03:32,710 --> 00:03:35,620 Next, we have denial-of-service attacks. 76 00:03:35,620 --> 00:03:37,510 And maybe you have heard of these. 77 00:03:37,510 --> 00:03:39,330 It happens when the attacker sends 78 00:03:39,330 --> 00:03:42,600 so many requests to a server that it breaks down 79 00:03:42,600 --> 00:03:45,450 and the application becomes unavailable. 80 00:03:45,450 --> 00:03:47,470 Again, implementing rate limiting 81 00:03:47,470 --> 00:03:49,530 is a good solution for this. 82 00:03:49,530 --> 00:03:51,970 Also, we should limit the amount of data 83 00:03:51,970 --> 00:03:55,810 that can be sent in a body in a post or a patch request. 84 00:03:55,810 --> 00:03:57,950 And also, we should avoid using 85 00:03:57,950 --> 00:04:01,110 so-called evil regular expressions to be in our code. 86 00:04:01,110 --> 00:04:03,590 And these are just regular expressions that take 87 00:04:03,590 --> 00:04:07,550 an exponential time to run for non-matching inputs and 88 00:04:07,550 --> 00:04:11,680 they can be exploited to bring our entire application down. 89 00:04:11,680 --> 00:04:15,960 Okay, next up, we have the NoSQL query injection attack. 90 00:04:15,960 --> 00:04:18,510 And query injection happens when an attacker, 91 00:04:18,510 --> 00:04:22,240 instead of inputting valid data, injects some query 92 00:04:22,240 --> 00:04:24,330 in order to create query expressions 93 00:04:24,330 --> 00:04:26,600 that are gonna translate to true. 94 00:04:26,600 --> 00:04:28,920 For example, to be logged in even without 95 00:04:28,920 --> 00:04:32,120 providing a valid username or password. 96 00:04:32,120 --> 00:04:33,380 It's a bit complex 97 00:04:33,380 --> 00:04:36,330 and you should definitely Google it to learn more. 98 00:04:36,330 --> 00:04:38,940 But what you need to know is that using Mongoose 99 00:04:38,940 --> 00:04:40,810 is actually a pretty good strategy 100 00:04:40,810 --> 00:04:43,300 for preventing these kind of attacks 101 00:04:43,300 --> 00:04:46,110 because a good schema forces each value 102 00:04:46,110 --> 00:04:48,410 to have a well-defined data tab. 103 00:04:48,410 --> 00:04:50,190 Which then effectively makes 104 00:04:50,190 --> 00:04:53,640 this type of attack very difficult to execute. 105 00:04:53,640 --> 00:04:56,000 However, it's always a good idea 106 00:04:56,000 --> 00:04:59,280 to still sanitize input data, just to be sure. 107 00:04:59,280 --> 00:05:02,300 And we will take care of that a bit later. 108 00:05:02,300 --> 00:05:04,360 All right, and now to finish, 109 00:05:04,360 --> 00:05:07,822 I just have a couple of best practices and suggestions 110 00:05:07,822 --> 00:05:10,150 on how to improve the authentication 111 00:05:10,150 --> 00:05:14,009 and authorization mechanisms that we implemented. 112 00:05:14,009 --> 00:05:16,350 So, the first thing I need to repeat 113 00:05:16,350 --> 00:05:18,760 over and over and over again 114 00:05:18,760 --> 00:05:21,370 is that in a production application, 115 00:05:21,370 --> 00:05:24,310 all communication between server and client 116 00:05:24,310 --> 00:05:26,980 needs to happen over HTTPS. 117 00:05:26,980 --> 00:05:30,010 Otherwise, anyone can listen into the conversation 118 00:05:30,010 --> 00:05:32,520 and steal our JSON web token. 119 00:05:32,520 --> 00:05:35,540 Next, always create random password tokens. 120 00:05:35,540 --> 00:05:38,660 Not generated from dates or something like that. 121 00:05:38,660 --> 00:05:40,920 Because they are effectively passwords 122 00:05:40,920 --> 00:05:43,470 and so, they should be treated as such. 123 00:05:43,470 --> 00:05:45,860 Plus, always give them expiry dates, 124 00:05:45,860 --> 00:05:47,750 just like we implemented it. 125 00:05:47,750 --> 00:05:48,910 All right? 126 00:05:48,910 --> 00:05:52,340 And we also implemented that a certain JSON web token 127 00:05:52,340 --> 00:05:56,480 is no longer valid after the user has changed his password. 128 00:05:56,480 --> 00:05:58,660 So, we basically revoke the token 129 00:05:58,660 --> 00:06:01,410 as soon as the user changes the password. 130 00:06:01,410 --> 00:06:04,070 Which makes a lot of sense, but again, 131 00:06:04,070 --> 00:06:07,650 many tutorials out there simply do not do that. 132 00:06:07,650 --> 00:06:10,470 Another big thing is to never ever commit 133 00:06:10,470 --> 00:06:14,060 a configuration file, like for environment variables, 134 00:06:14,060 --> 00:06:16,460 to a version control like Git. 135 00:06:16,460 --> 00:06:19,020 In fact, do not upload it anywhere 136 00:06:19,020 --> 00:06:20,500 because this file contains 137 00:06:20,500 --> 00:06:23,780 the most sensitive data of the entire application. 138 00:06:23,780 --> 00:06:26,340 For example, if someone gets access to 139 00:06:26,340 --> 00:06:28,260 your JSON web token secret, 140 00:06:28,260 --> 00:06:32,083 then your entire authentication process is compromised. 141 00:06:32,083 --> 00:06:35,950 Okay, and now just a small detail is to 142 00:06:35,950 --> 00:06:37,560 whenever there is an error, 143 00:06:37,560 --> 00:06:40,560 do not send the entire error to the client. 144 00:06:40,560 --> 00:06:44,010 So, stuff like the stack trace could give the attacker 145 00:06:44,010 --> 00:06:46,920 some valuable insights into your system, 146 00:06:46,920 --> 00:06:49,650 and so, of course, we don't want that. 147 00:06:49,650 --> 00:06:52,480 Next up, we can use the csurf package 148 00:06:52,480 --> 00:06:57,200 to fight a type of attack called Cross-Site Request Forgery, 149 00:06:57,200 --> 00:06:59,750 which is an attack that forces a user 150 00:06:59,750 --> 00:07:03,530 to execute unwanted actions on a web application 151 00:07:03,530 --> 00:07:05,330 in which they are currently logged in. 152 00:07:05,330 --> 00:07:07,600 We're not gonna do that in this section, though. 153 00:07:07,600 --> 00:07:10,140 But I still wanted to mention it here. 154 00:07:10,140 --> 00:07:12,280 Next, we could require the user to 155 00:07:12,280 --> 00:07:16,180 re-authenticate before performing a high-value action. 156 00:07:16,180 --> 00:07:19,730 For example, making a payment or deleting something. 157 00:07:19,730 --> 00:07:22,070 Again, this is just a suggestion 158 00:07:22,070 --> 00:07:23,810 that you can try out for yourself. 159 00:07:23,810 --> 00:07:26,630 Another cool feature that you can implement 160 00:07:26,630 --> 00:07:29,460 is a blacklist of untrusted tokens. 161 00:07:29,460 --> 00:07:31,660 So, we already know that there is not really 162 00:07:31,660 --> 00:07:34,910 a way to log users out of the application 163 00:07:34,910 --> 00:07:37,220 if they show some malicious activity. 164 00:07:37,220 --> 00:07:41,260 But what we can do is to create a list of untrusted tokens 165 00:07:41,260 --> 00:07:44,370 that are then validated on each request. 166 00:07:44,370 --> 00:07:47,920 And next up, a feature that we could have implemented is to 167 00:07:47,920 --> 00:07:51,810 confirm the email address after an account is first created. 168 00:07:51,810 --> 00:07:54,665 So, basically by sending a link to the user's email, 169 00:07:54,665 --> 00:07:57,520 like many real apps actually do. 170 00:07:57,520 --> 00:08:00,190 But I wanted to just keep things simple here, 171 00:08:00,190 --> 00:08:02,600 which is why I didn't do this here. 172 00:08:02,600 --> 00:08:05,400 But please feel free to just implement this yourself 173 00:08:05,400 --> 00:08:07,360 if you feel like it. 174 00:08:07,360 --> 00:08:09,900 Now, a big feature that many apps have 175 00:08:09,900 --> 00:08:12,580 is the concept of refresh tokens. 176 00:08:12,580 --> 00:08:15,050 Which are basically to remember users. 177 00:08:15,050 --> 00:08:17,150 So, to keep them logged in forever 178 00:08:17,150 --> 00:08:19,720 or until they choose to log out. 179 00:08:19,720 --> 00:08:22,170 Our current implementation makes it so that 180 00:08:22,170 --> 00:08:25,020 the user has to basically log in again 181 00:08:25,020 --> 00:08:27,480 after the JSON web token expires. 182 00:08:27,480 --> 00:08:30,720 But, with refresh tokens, that's no longer necessary. 183 00:08:30,720 --> 00:08:33,490 And it's a bit complex to implement and so, 184 00:08:33,490 --> 00:08:35,342 it's a feature for another time. 185 00:08:36,270 --> 00:08:37,950 And finally, the last one 186 00:08:37,950 --> 00:08:41,530 that we could have implemented is two-factor authentication, 187 00:08:41,530 --> 00:08:43,770 which I'm sure you're familiar with. 188 00:08:43,770 --> 00:08:46,079 Basically, with two-factor authentication, 189 00:08:46,079 --> 00:08:48,750 after logging into the application, 190 00:08:48,750 --> 00:08:50,050 the user needs to perform 191 00:08:50,050 --> 00:08:53,110 a second action to really get authenticated. 192 00:08:53,110 --> 00:08:55,750 And typically, that is to insert a code 193 00:08:55,750 --> 00:08:58,980 sent via text message to a mobile phone. 194 00:08:58,980 --> 00:09:01,420 So, these are a lot of functionalities 195 00:09:01,420 --> 00:09:03,580 our authentication could have. 196 00:09:03,580 --> 00:09:05,730 And if you want me to implement any of them, 197 00:09:05,730 --> 00:09:08,160 please let me know so in the Q&A section. 198 00:09:08,160 --> 00:09:10,640 And, if there is a lot of demand for one of them, 199 00:09:10,640 --> 00:09:12,740 then I will show you how it works. 200 00:09:12,740 --> 00:09:15,210 Okay, but again, I didn't want to 201 00:09:15,210 --> 00:09:17,270 turn this Node.js course into 202 00:09:17,270 --> 00:09:20,760 a whole security and authentication course. 203 00:09:20,760 --> 00:09:24,230 And just to finish, something that we will implement 204 00:09:24,230 --> 00:09:26,200 in the rest of the section is 205 00:09:26,200 --> 00:09:28,320 to prevent parameter pollution. 206 00:09:28,320 --> 00:09:32,450 For example, try to just insert two field parameters 207 00:09:32,450 --> 00:09:36,030 into the query string that searches for all tours. 208 00:09:36,030 --> 00:09:38,290 And if you do that, you will find that 209 00:09:38,290 --> 00:09:39,770 there will be an error because 210 00:09:39,770 --> 00:09:42,150 our application is not prepared for that. 211 00:09:42,150 --> 00:09:45,790 And so, attackers try to use these kinds of weaknesses 212 00:09:45,790 --> 00:09:49,330 to crash applications, which is, of course, not good. 213 00:09:49,330 --> 00:09:51,530 And so, we need to fix that. 214 00:09:51,530 --> 00:09:56,286 Okay, so this turned out to be a lot longer than I expected. 215 00:09:56,286 --> 00:09:59,231 And there are entire courses about security 216 00:09:59,231 --> 00:10:01,560 if you're really into security. 217 00:10:01,560 --> 00:10:04,074 All right, but I am leaving it at this, 218 00:10:04,074 --> 00:10:07,283 and so, let's now move on right to the next one. 17546