Well, this title may seem misleading. This is not an article regarding privacy of your apps or your content. We are not discussing how app companies are stealing your data and how you can prevent that. Actually, it seems a good thing to write on, saving it for next time!
So, what are we talking about? We are talking about how can we keep our secrets, data that we hold dear and do not want to disclose to anyone else, secure in a Nodejs application from a development perspective.
Let’s take a scenario where you are connecting with an external API using a bunch of ids and secret keys. You won’t believe but it is very much common that developers accidentally commit their keys in the code. And when someone comes sniffing around (which they do, always!), you are in serious trouble.
We can store our secret keys and ids in environmental variables which the application can pick up once it runs. This way we do not compromise on security and have an easy access to the credentials as well. Also, since we do not hard-code the keys, we are more flexible with terms of using multiple credentials for troubleshooting.
If you use the command line, then you can use export on a Macintosh or a Linux machine and if you are using Windows then you use set. Then your application as usual and you are ready to go!
If there are multiple environmental variables then the best thing to do is to create a .env file using the dotenv package and set all environmental variables you want in it. To retrieve the said variables you have to use the process.env object.
var mode = process.env.mode; // 'TESTING'
var TECHUZAPIKEY = process.env.TECHUZAPIKEY; // 'bccd321kjlo90alrn'
One way of ensuring that you do not commit your files to git for example is by adding a .env line to the .gitignore file.
Although this blog focuses on one particular aspect of environmental variables, we would like to highlight some of the best practises we follow at Techuz with respecting to coding in NodeJS so that it may benefit all:
Eval can play havoc especially with recent code injection attacks, never insert unvalidated input into the same.
Having proper flags for cookies can itself prevent attacks like cross-site scripting.
Retire.js will help you look for vulnerabilities within the module versions used.
One can use IPTables redirect to redirect any request to a local port so that you do not have to run processes with superuser rights.
We at Techuz take security very seriously and all our code goes through stringent checks in order to see if it’s safe and secure. We constantly monitor new threats that emerge from around the globe and continuously evolve our security systems to tackle them.
Get in touch to know more or just say Hi!