Tag Archives: CSRF

Secure Node Apps Against OWASP Top 10 – Cross Site Request Forgery

via Secure Node Apps Against OWASP Top 10 – Cross Site Request Forgery – Scott Smith.

Welcome to part 4 of the OWASP security series

  1. Injection
  2. Broken Authentication & Session Management
  3. Cross Site Scripting (XSS)
  4. Cross Site Request Forgery (CSRF)
  5. Using Components with Known Vulnerabilities (Coming soon)

In this multipart series, we will explore some of the the OWASP top web application security flaws including how they work and best practices to protect your application from them. The focus will be on Express web applications in Node, but the principles shown can be applied to any framework or environment.

This part will cover cross site request forgery (CSRF).

Express 3 Tutorial: Contact Forms with CSRF

via DailyJS: Express 3 Tutorial: Contact Forms with CSRF.

This tutorial is a hands on, practical introduction to writing Express 3 applications complete with CSRF protection. As a bonus, it should be fairly easy to install on Heroku.

Video: Everything You Ever Wanted To Know About Authentication in Node.js

Authentication is one of the least understood areas in web development — and there’s a lot to know!

In this screencast, Randall Degges, Stormpath Developer Evangelist shares all of the best practices he learned while building Stormpath’s Express.js authentication libraries. Learn how to: safely log users into web applications, secure REST APIs, the low-level details that make this possible, and which Node libraries you should be using (and where).

-How HTTP authentication works (form based and API based).
-What are cookies, and how do they work?
-How do sessions work?
-What is the best way to store user state in Node applications?
-What sort of encryption should be used to secure client-side cookies?
-How to prevent CSRF vulnerabilities
-Where does SSL fit into the picture?
-What Node.js authentication libraries are useful

Randall Degges is a Developer Evangelist at Stormpath and a prominent Pythonista.

Prior to joining Stormpath, he founded and built OpenCNAM, the largest Caller ID API service in North America. He has been actively involved in Open Source for more than 10 years, and has built a variety of projects used by thousands of developers. He has also authored a book on Heroku, and frequently writes on his personal site. When he’s not coding, he lifts weights and spends time with his chihuahua, Scribbles, and his wife, Samantha.