The Node.js Secure Coding Blog

Learn how to use JSON Web Tokens (JWT) securely in your Node.js applications. I'll cover the basics of JWT and share best practices to avoid common security mistakes.

Half a dozen secure code review comments and none of them mentioned the potential security vulnerability that exists in the code snippet. Let's dive into a Node.js secure code review and see if you can spot the security bug you totally missed.

Even if you follow security best practices and choose bcrypt for password hashing you can still get it wrong. How does Bun handle it in a more secure fashion? What happened with the Okta bcrypt incident? Lets dive in.

How about a more offensive side of security? Check out a NodeJS path traversal vulnerability scanner.

Stop storing secrets in environment variables. It's a bad practice and only fits hobby or side projects with no real business impact. Here are all the reasons why you should never store secrets in environment variables and how to do it better.

Getting started with the npm audit command and learn why it's not enough and how to advance your project's security posture with more robust security tools like Snyk.

Better some security than none at all. If you're using Yarn package manager, learn about `yarn audit` and how to use it to check for vulnerabilities in your dependencies.

Have I gone mad? Do I actually recommend not using an ORM and actually gaining a security advantage? Sort of. It's more nuanced but if we're trying to fix SQL injection and related vulnerabilities then I invite you to take a read.

Briefly exploring core concepts around Node API security with regards to GraphQL and REST API design with code examples specific to Node.js application servers.

Briefly exploring the Node.js threat model to draw some opinions on whether Node.js is secure or not.