{"id":7802,"date":"2025-03-25T11:13:16","date_gmt":"2025-03-25T04:13:16","guid":{"rendered":"https:\/\/www.briswell-vn.com\/?p=7802"},"modified":"2025-03-25T11:13:16","modified_gmt":"2025-03-25T04:13:16","slug":"secure-coding-va-cac-phuong-phap-tot-nhat-de-xay-dung-ung-dung-an-toan","status":"publish","type":"post","link":"https:\/\/www.briswell-vn.com\/en\/news\/secure-coding-va-cac-phuong-phap-tot-nhat-de-xay-dung-ung-dung-an-toan\/","title":{"rendered":"SECURE CODING AND BEST METHODS FOR BUILDING SECURE APPLICATIONS"},"content":{"rendered":"

<\/p>\n

Introduction to secure coding<\/h2>\n

Secure coding is the process of writing highly secure source code, minimizing vulnerabilities to prevent attacks from intruders or hackers, focusing on writing code, and developing applications safely.<\/p>\n

Insecure code is the main source of many security problems in software. Errors in the code can lead to serious problems such as security vulnerabilities<\/span>, intrusions, unauthorized access to data, and even harm to systems and users. Secure coding ensures that applications and systems are written correctly and securely from development to deployment.<\/p>\n

Why is secure coding important?<\/h2>\n

Secure coding is an extremely important aspect of software development as it plays an important role in protecting applications and systems from attacks and security vulnerabilities<\/span>. Here are a few reasons why secure coding is important:<\/p>\n

    \n
  1. Data Protection: Secure coding protects the data of users and organizations from unauthorized access, alteration, or theft. If applications are not securely coded<\/span>, sensitive information can be exposed, leading to serious consequences, including financial loss<\/span>, organizational reputation damage<\/span>, and violation of data security regulations.<\/span><\/li>\n
  2. Prevent attacks: Secure coding reduces the possibility of attacks from intruders or hackers. By processing and filtering input data, we can prevent common attacks such as SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Command Injection, Cross-Site Script Inclusion (XSSI), Server-Side Request Forgery (SSRF), etc.<\/li>\n
  3. Ensure Availability and Reliability: Applications written in secure coding will work more stably and reliably. Minimizing bugs and security vulnerabilities<\/span> helps the application avoid unexpected problems, and ensures system availability.<\/li>\n
  4. Damage mitigation: An application that is not written securely can be hacked and cause serious damage to the system and users. The implementation of secure coding helps to reduce the risk and extent of damage in the event of an attack.<\/li>\n
  5. Compliance with security regulations and standards: Secure coding helps meet organizational and industry security standards and requirements. Many sectors, like healthcare and finance, have strict requirements for data security and protection. The adoption of secure coding is necessary to comply with these regulations and avoid penalties for privacy and security violations.<\/li>\n
  6. Building trust and reputation: The safety and security of the application contribute to building trust and a positive reputation for the organization. Users and customers will have more confidence in the application they use if it is secure.<\/li>\n<\/ol>\n

    In short, secure coding is a core element in protecting applications and systems from attacks and security vulnerabilities<\/span>. It<\/span> ensure<\/span>s<\/span> the security and reliability of the software, and protects user and organization data, while also meeting security requirements and standards.<\/p>\n

    Important principles and methods in secure coding<\/h2>\n

    Input Validation<\/h3>\n

    All input data should be checked by both client and server before performing other tasks.<\/p>\n

    Failed data validation should be rejected immediately and no further processing is performed. Returns an invalid input message to the user.<\/p>\n

    Navigation handlers that take data such as GET a file should not be processed directly from user input but should be obtained via a constant such as file_id.<\/span><\/p>\n

    Below is the Nodejs code using the Express.js framework.<\/p>\n

    + Correct program<\/strong><\/p>\n

    const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> fs = require<\/span>('fs\/promises'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>;\r\n\r\nenum File { \r\n  1: 'example.txt', \r\n  2: 'example2.txt' \r\n}\r\n\r\n\/\/ Route to get data from file<\/span>\r\napp.get<\/span>('\/file'<\/span>, async<\/span> (req, res) => { \r\n  if (isNaN(req.query.fileId)) { \r\n    return res.status(400).send('fileId must be a numeric value'); \r\n  }\r\n \r\n  try<\/span> { \r\n    const filePath = `.\/files\/${File[req.query.fileId]}`;<\/span> \r\n \r\n    \/\/ Read the contents of the file<\/span>\r\n    const<\/span> fileContent = await<\/span> fs.readFile<\/span>(filePath, 'utf-8'<\/span>); \r\n \r\n    res.status<\/span>(200<\/span>).send<\/span>(fileContent); \r\n  } catch<\/span> (error) { \r\n    res.status<\/span>(500<\/span>).send<\/span>('An error occurred while reading the file.'<\/span>); \r\n  } \r\n}); \r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
    In this example, we use the fileId the user sends up to get the file path we want to access. This helps to ensure that we are not directly pulling the filename from the user data, thereby avoiding security issues such as unwanted access holes.<\/p>\n
    + Wrong program<\/strong><\/p>\n
    const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> fs = require<\/span>('fs\/promises'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>;  \r\n \r\n\/\/ Route to get data from file<\/span>\r\napp.get<\/span>('\/file'<\/span>, async<\/span> (req, res) => {  \r\n  try<\/span> {  \r\n    \/\/ Uses the filename from user input and reads the file's contents<\/span>\r\n    const<\/span> fileContent = await<\/span> fs.readFile<\/span>(req.body.fileName, 'utf-8'<\/span>); \r\n \r\n    res.status<\/span>(200<\/span>).send<\/span>(fileContent); \r\n  } catch<\/span> (error) { \r\n    res.status<\/span>(500<\/span>).send<\/span>('An error occurred while reading the file.'<\/span>); \r\n  } \r\n}); \r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
    In this example, we used the filename from user-supplied data. This will suffer from security issues such as unwanted access vulnerabilities.<\/p>\n
    Output Encoding<\/h3>\n
    All output data that needs to be encoded can use HTML entity encoding\u00a0to perform data encoding against Cross-site Scripting (XSS) vulnerabilities.<\/p>\n
    Cleaning removes data related to operating system commands to avoid errors related to Command injection.<\/p>\n
    Suppress data on display against data SQL queries that help protect against SQL Injection related vulnerabilities.<\/p>\n
    Below is the Nodejs code using the Express.js framework.<\/p>\n
    + Correct program<\/strong><\/p>\n
    const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> escapeHtml = require<\/span>('escape-html'<\/span>);\r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\napp.get<\/span>('\/customerProfile'<\/span>, (req, res<\/span>) =><\/span> { \r\n  const<\/span> customer = { \r\n    name<\/span>: \"test\"<\/span>, \r\n    note<\/span>: \"<script>alert('XSS attack!');<\/script>\"<\/span> \r\n  }; \r\n \r\n  const<\/span> encodedCustomerNote = escapeHtml(customer.note);\r\n \r\n  res.send<\/span>(` \r\n    <h1>Hello, ${customer.name}<\/span>!<\/h1> \r\n    <p>${encodedCustomerNote}<\/span><\/p> `\r\n<\/span>  ); \r\n}); \r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
    In the above code, we used the escape-html library to encode the content of customer.note before putting it into HTML. This ensures that any malicious JavaScript code will be encrypted and displayed as regular, non-executable text.<\/p>\n
    + Wrong program<\/strong><\/p>\n
    const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n\r\napp.get<\/span>('\/customerProfile'<\/span>, (req, res<\/span>) =><\/span> { \r\n const<\/span> customer = { \r\n   name<\/span>: \"test\"<\/span>, \r\n   note<\/span>: \"<script>alert('XSS attack!');<\/script>\"<\/span> \r\n }; \r\n \r\n res.send<\/span>(` \r\n   <h1>Hello, ${customer.name}<\/span>!<\/h1> \r\n   <p>${customer.note<\/span>}<\/span><\/p> `\r\n<\/span> ); \r\n}); \r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
    In the above code, we are returning the customer\u2019s personal information. However, the customer.note variable contains a malicious piece of JavaScript code that will be executed when the browser displays it, causing an XSS attack.<\/p>\n
    Authentication and Password Management<\/h3>\n
    Authentication is required for critical resources that are not publicly accessible. Public resources such as CSS, js, etc. do not need to be authenticated.<\/p>\n
    Can use the provided authentication mechanisms such as Oauth2 or Google authentication<\/span>, Facebook authentication, etc.<\/p>\n
    Need to encrypt the password can use the provided reputable library.<\/p>\n
    When logging in, if the user enters the wrong username or password instead of specifically saying “the user has the wrong username” or “the user has entered the wrong password” just notify that “the user entered the wrong login information” to avoid collecting information from hackers.<\/p>\n
    An authentication mechanism should be implemented before external systems connect to our system to get data (via API, web service, etc.).<\/p>\n
    Use HTPP POST for authentication requests and the password shows up as *** unreadable.<\/p>\n
    It is recommended to use strong passwords for accounts such as having at least one uppercase letter, one lowercase letter, one number, one special character, and at least 8 characters in length.<\/p>\n
    The password reset link should have a short expiration time.<\/p>\n
    Need to set up a 2FA authentication mechanism for important tasks.<\/p>\n
    Set password change frequency and password re-use mechanism.<\/p>\n
    Request a temporary password change on the first login and set up a mechanism to lock the account after a number of incorrect credentials.<\/p>\n
    Below is the Nodejs code using the Express.js framework.<\/p>\n
    + Correct program<\/strong><\/p>\n
    const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> bcrypt = require<\/span>('bcrypt'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\n\/\/ Assume this is a database that stores user information<\/span>\r\nconst<\/span> users = []; \r\n \r\napp.use<\/span>(express.json<\/span>()); \r\n \r\n\/\/ User registration<\/span>\r\napp.post<\/span>('\/register'<\/span>, async<\/span> (req, res) => {\r\n const<\/span> { username, password } = req.body<\/span>; \r\n \r\n \/\/ Check if the user already exists<\/span> \r\n if<\/span> (users.find<\/span>(user<\/span> =><\/span> user.username<\/span> === username)) {\r\n   return<\/span> res.status<\/span>(400<\/span>).json<\/span>({ error<\/span>: 'User already exists.'<\/span> }); \r\n } \r\n \r\n \/\/ Encrypt password before saving to database<\/span>\r\n const<\/span> hashedPassword = await<\/span> bcrypt.hash<\/span>(password, 10<\/span>); \r\n \r\n \/\/ Save user information to the database<\/span> \r\n users.push<\/span>({ username, password<\/span>: hashedPassword }); \r\n  \r\n return<\/span> res.status<\/span>(201<\/span>).json<\/span>({ message<\/span>: 'Sign Up Success.'<\/span> }); \r\n}); \r\n \r\n\/\/ Login<\/span>\r\napp.post<\/span>('\/login'<\/span>, async<\/span> (req, res) => { \r\n const<\/span> { username, password } = req.body<\/span>; \r\n \r\n \/\/ Find users in the database<\/span>\r\n const<\/span> user = users.find<\/span>(user<\/span> =><\/span> user.username<\/span> === username); \r\n if<\/span> (!user) { \r\n  return<\/span> res.status<\/span>(401<\/span>).json<\/span>({ error<\/span>: 'User entered incorrect login information.'<\/span> }); \r\n } \r\n \r\n \/\/ Compare encrypted passwords<\/span> \r\n const<\/span> isPasswordValid = await<\/span> bcrypt.compare<\/span>(password, user.password<\/span>); \r\n if<\/span> (!isPasswordValid) { \r\n  return<\/span> res.status<\/span>(401<\/span>).json<\/span>({ error<\/span>: 'User entered incorrect login information.'<\/span> }); \r\n } \r\n\r\n return<\/span> res.status<\/span>(200<\/span>).json<\/span>({ message<\/span>: 'Logged in successfully.'<\/span> }); \r\n});\r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
    In the above code:<\/p>\n
    When a user registers, the password is encrypted before being saved to the database ensuring that the password is not saved as plain text in the database, increasing the security of the application.<\/p>\n
    When the user logs in, we check the entered password by comparing it with the encrypted password in the database and if the user enters the wrong username or password, we will output the general message \u2018User entered incorrect login information.\u2019 to avoid collecting information from hackers.<\/p>\n
    + Wrong program<\/strong><\/p>\n
    const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> bcrypt = require<\/span>('bcrypt'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n\r\n\/\/ Assume this is a database that stores user information<\/span>\r\nconst<\/span> users = []; \r\n\r\napp.use<\/span>(express.json<\/span>()); \r\n\r\n\/\/ User registration<\/span>\r\napp.post<\/span>('\/register'<\/span>, async<\/span> (req, res) => {\r\n const<\/span> { username, password } = req.body<\/span>; \r\n\r\n \/\/ Check if the user already exists<\/span>\r\n if<\/span> (users.find<\/span>(user<\/span> =><\/span> user.username<\/span> === username)) {\r\n  return<\/span> res.status<\/span>(400<\/span>).json<\/span>({ error<\/span>: 'User already exists.'<\/span> }); \r\n } \r\n\r\n \/\/ Save user information without password encryption into the database<\/span>\r\n users.push<\/span>({ username, password<\/span>}); \r\n \r\n return<\/span> res.status<\/span>(201<\/span>).json<\/span>({ message<\/span>: 'Sign Up Success.'<\/span> }); \r\n}); \r\n\r\n\/\/ Login<\/span> \r\napp.post<\/span>('\/login'<\/span>, async<\/span> (req, res) => { \r\n const<\/span> { username, password } = req.body<\/span>; \r\n\r\n \/\/ Find users in the database<\/span>\r\n const<\/span> user = users.find<\/span>(user<\/span> =><\/span> user.username<\/span> === username); \r\n if<\/span> (!user) { \r\n  return<\/span> res.status<\/span>(401<\/span>).json<\/span>({ error<\/span>: 'User entered incorrect username information.'<\/span> }); \r\n } \r\n\r\n \/\/ Compare passwords<\/span>\r\n if<\/span> (password !== user.password<\/span>) { \r\n  return<\/span> res.status<\/span>(401<\/span>).json<\/span>({ error<\/span>: 'User entered incorrect password information'<\/span> }); \r\n } \r\n\r\n return<\/span> res.status<\/span>(200<\/span>).json<\/span>({ message<\/span>: 'Logged in successfully.'<\/span> }); \r\n});\r\n\r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
    In the above code:<\/p>\n
    When a user registers, the password is not encrypted before being saved to the database and violates the security of the application.<\/p>\n
    When a user logs in and enters an incorrect username or password information, the security problem is a specific error such as: \u201cUser entered incorrect username information.\u201d or \u201cUser entered incorrect password information\u201d.<\/p>\n
    Session Management<\/h3>\n
    Generation of sessions using identifiers must ensure randomness and avoid session sniffing or guessing attacks.<\/p>\n
    When logging out, the session should be terminated immediately.<\/p>\n
    The logout function must be available on all authenticated sites so that users can log out whenever they have successfully authenticated.<\/p>\n
    Do not allow the session to exist simultaneously with the same user to ensure the restriction of unauthorized access.<\/p>\n
    When re-authenticating still need to make sure to create a session with a new identifier to ensure it does not match the old session.<\/p>\n
    Should set the lifetime for a session.<\/p>\n
    Below is the Nodejs code using the Express.js framework.<\/p>\n
    + Correct program<\/strong><\/p>\n
    const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> session = require<\/span>('express-session'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\n\/\/ Use session middleware<\/span> \r\napp.use<\/span>(session<\/span>({ \r\n secret<\/span>: 'secretKey'<\/span>, \r\n resave<\/span>: true<\/span>, \r\n saveUninitialized<\/span>: true,\r\n cookie: { maxAge: 86400000) }<\/span>\r\n})); \r\n \r\napp.use<\/span>(express.json<\/span>()); \r\n \r\n\/\/ Assume this is a database that stores user information<\/span>\r\nconst<\/span> users = [ { username<\/span>: 'test'<\/span>, password<\/span>: 'password_hash'<\/span> } ]; \r\n \r\n\/\/ Check if user is logged in<\/span>\r\nfunction<\/span> isAuthenticated<\/span>(req, res, next<\/span>) { \r\n if<\/span> (req.session<\/span> && req.session<\/span>.username<\/span>) { \r\n  return<\/span> next<\/span>(); \r\n }\r\n return<\/span> res.status<\/span>(401<\/span>).json<\/span>({ error<\/span>: 'You need to log in to continue.'<\/span> }); \r\n} \r\n \r\n\/\/ Login<\/span>\r\napp.post<\/span>('\/login'<\/span>, (req, res<\/span>) =><\/span> { \r\n const<\/span> { username, password } = req.body<\/span>; \r\n const<\/span> user = users.find<\/span>(user<\/span> =><\/span> user.username<\/span> === username); \r\n if<\/span> (!user || user.password<\/span> !== password) { \r\n  return<\/span> res.status<\/span>(401<\/span>).json<\/span>({ error<\/span>: 'Incorrect username or password.'<\/span> }); \r\n } \r\n \r\n req.session<\/span>.username<\/span> = username; \r\n return<\/span> res.status<\/span>(200<\/span>).json<\/span>({ message<\/span>: 'Logged in successfully.'<\/span> }); \r\n}); \r\n  \r\n\/\/ Show user information after login<\/span>\r\napp.get<\/span>('\/profile'<\/span>, isAuthenticated, (req, res<\/span>) =><\/span> { \r\n const<\/span> username = req.session<\/span>.username<\/span>; \r\n return<\/span> res.status<\/span>(200<\/span>).json<\/span>({message<\/span>: `Personal information: ${username}`<\/span>}); \r\n}); \r\n \r\n\/\/ Logout<\/span>\r\napp.post<\/span>('\/logout'<\/span>, isAuthenticated, (req, res<\/span>) =><\/span> { \r\n req.session<\/span>.destroy<\/span>(); \r\n return<\/span> res.status<\/span>(200<\/span>).json<\/span>({ message<\/span>: 'Sign out successful.'<\/span> }); \r\n});\r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
    In the above example, when the user logs in successfully, we save the username information into the session and set the lifetime to 1 day. The \/profile and \/logout routes require a logged-in user for access, and we check session information to verify the login status. When the user logs out, we will end this session and will recreate a new session when the user logs back in.<\/p>\n
    + Wrong program<\/strong><\/p>\n
    const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> session = require<\/span>('express-session'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\n\/\/ Use session middleware<\/span> \r\napp.use<\/span>(session<\/span>({ \r\n secret<\/span>: 'secretKey'<\/span>, \r\n resave<\/span>: false<\/span>, \r\n saveUninitialized<\/span>: false,\r\n cookie: { maxAge: 86400000) }<\/span>\r\n})); \r\n \r\napp.use<\/span>(express.json<\/span>()); \r\n \r\n\/\/ Assume this is a database that stores user information<\/span>\r\nconst<\/span> users = [ { username<\/span>: 'test'<\/span>, password<\/span>: 'password_hash'<\/span> } ]; \r\n \r\n\/\/ Check if user is logged in<\/span>\r\nfunction<\/span> isAuthenticated<\/span>(req, res, next<\/span>) { \r\n if<\/span> (req.session<\/span> && req.session<\/span>.username<\/span>) { \r\n  return<\/span> next<\/span>(); \r\n }\r\n return<\/span> res.status<\/span>(401<\/span>).json<\/span>({ error<\/span>: 'You need to log in to continue.'<\/span> }); \r\n} \r\n \r\n\/\/ Login<\/span>\r\napp.post<\/span>('\/login'<\/span>, (req, res<\/span>) =><\/span> { \r\n const<\/span> { username, password } = req.body<\/span>; \r\n const<\/span> user = users.find<\/span>(user<\/span> =><\/span> user.username<\/span> === username); \r\n if<\/span> (!user || user.password<\/span> !== password) { \r\n  return<\/span> res.status<\/span>(401<\/span>).json<\/span>({ error<\/span>: 'Incorrect username or password.'<\/span> }); \r\n } \r\n \r\n req.session<\/span>.username<\/span> = username; \r\n return<\/span> res.status<\/span>(200<\/span>).json<\/span>({ message<\/span>: 'Logged in successfully.'<\/span> }); \r\n}); \r\n  \r\n\/\/ Show user information after login<\/span>\r\napp.get<\/span>('\/profile'<\/span>, isAuthenticated, (req, res<\/span>) =><\/span> { \r\n const<\/span> username = req.session<\/span>.username<\/span>; \r\n return<\/span> res.status<\/span>(200<\/span>).json<\/span>({message<\/span>: `Personal information: ${username}`<\/span>}); \r\n}); \r\n \r\n\/\/ Logout<\/span>\r\napp.post<\/span>('\/logout'<\/span>, isAuthenticated, (req, res<\/span>) =><\/span> { \r\n return<\/span> res.status<\/span>(200<\/span>).json<\/span>({ message<\/span>: 'Sign out successful.'<\/span> }); \r\n});\r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
    In the above example, when the user logs in successfully, we save the username information into the session and do not set the session end time. When the user logs out, the session is not destroyed and this session always exists.<\/p>\n
    Access Control<\/h3>\n
    Perform access testing with all sent requests including requests sent by HTTP request, Ajax to ensure that the authorization is always done correctly with the corresponding authorized account. Avoid access to unauthorized resources.<\/p>\n
    Need to implement centralized decentralization, easy to manage and not affected by the logic of the code that performs the function of the web.<\/p>\n
    It is necessary to limit access to important resources to authorized users.<\/p>\n
    The application should have clear documentation of the access policy.<\/p>\n
    When there is a change in permissions or a change in the business logic related to access rights, disable the account and terminate the session. Only when the user logs back in will the account continue to use.<\/p>\n
    Implement a mechanism to temporarily lock accounts after a period of inactivity.<\/p>\n
    If user data needs to be stored on the client side, it needs to be encrypted and checked for integrity on the server.<\/p>\n
    Properly implement the principle of delegating power to the right people, with the right rights. Only authorized users have access to certain resources on the system.<\/p>\n
    Below is the Nodejs code using the Express.js framework.<\/p>\n
    + Correct program<\/strong><\/p>\n
    const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\n\/\/ Assume this is a database that stores user information<\/span>\r\nconst<\/span> users = [ \r\n  { username<\/span>: 'user1'<\/span>, role<\/span>: 'admin'<\/span> }, \r\n  { username<\/span>: 'user2'<\/span>, role<\/span>: 'user'<\/span> } \r\n]; \r\n \r\n\/\/ Middleware checks the user's role<\/span>\r\nfunction<\/span> checkRole<\/span>(role<\/span>) { \r\n  return<\/span> (req, res, next<\/span>) =><\/span> { \r\n    const<\/span> user = users.find<\/span>(user<\/span> =><\/span> user.username<\/span> === req.session<\/span>.username<\/span>); \r\n     \r\n    if<\/span> (user && user.role<\/span> === role) { \r\n      return<\/span> next<\/span>(); \r\n    } \r\n    return<\/span> res.status<\/span>(403<\/span>).json<\/span>({ error<\/span>: 'You do not have access.'<\/span> }); \r\n  }; \r\n} \r\n \r\napp.use<\/span>(express.json<\/span>()); \r\n \r\napp.get<\/span>('\/profile'<\/span>, (req, res<\/span>) =><\/span> { \r\n  const<\/span> username = req.session<\/span>.username<\/span>; \r\n  return<\/span> res.status<\/span>(200<\/span>).json({message: `Personal information: ${username}`});<\/span>\r\n}); \r\n \r\napp.get<\/span>('\/admin'<\/span>, checkRole<\/span>('admin'<\/span>), (req, res<\/span>) =><\/span> { \r\n  return<\/span> res.status<\/span>(200<\/span>).json<\/span>({ message<\/span>: 'Admin page.'<\/span> }); \r\n});\r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
    In the above example, we used a checkRole middleware to check the user’s role. Route \/profile allows access to all users. The \/admin route requires the \u201cadmin\u201d role and only allows users with the \u201cadmin\u201d role to access the admin page. If they don’t have permission they will receive a 403 (Forbidden) status code.<\/p>\n
    + Wrong program<\/strong><\/p>\n
    const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\n\/\/ Assume this is a database that stores user information<\/span>\r\nconst<\/span> users = [ \r\n  { username<\/span>: 'user1'<\/span>, role<\/span>: 'admin'<\/span> }, \r\n  { username<\/span>: 'user2'<\/span>, role<\/span>: 'user'<\/span> } \r\n]; \r\n \r\napp.use<\/span>(express.json<\/span>()); \r\n \r\napp.get<\/span>('\/profile'<\/span>, (req, res<\/span>) =><\/span> { \r\n const<\/span> username = req.session<\/span>.username<\/span>; \r\n return<\/span> res.status<\/span>(200<\/span>).json({message: `Personal information: ${username}`});<\/span>\r\n}); \r\n \r\napp.get<\/span>('\/admin'<\/span>, (req, res<\/span>) =><\/span> { \r\n return<\/span> res.status<\/span>(200<\/span>).json<\/span>({ message<\/span>: 'Admin page.'<\/span> }); \r\n});\r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
    In the above example, the \/profile and\u00a0 \/admin routes both allow access to all users and have no permissions. This will be very dangerous because the admin page will be accessed illegally by users with role=\u201duser\u201d.<\/p>\n
    Error Handling and Logging<\/h3>\n
    Need to report common errors and proceed to define error pages to return when the site encounters an error. Avoid using the framework’s default error pages because these often contain a lot of information related to the application and version.<\/p>\n
    The log should record all important events as follows:<\/p>\n
      \n
    1. Log all input validation errors<\/li>\n
    2. Log all system exceptions<\/li>\n
    3. Record all access control errors<\/li>\n
    4. Record all authentication attempts, especially failed attempts<\/li>\n
    5. Log the entire event of multiple login attempts or session expiration<\/li>\n
    6. Log all administrative functions<\/li>\n<\/ol>\n
      Do not store sensitive information in the log, including unnecessary system details, software version information or user passwords.<\/p>\n
      Restrict log access to authorized users only.<\/p>\n
      Make sure the log contains important event data such as event time, severity for each event, tags for each event, account information that performed the event, source ip, dest ip, and event description, etc.<\/p>\n
      Error handling information should record both success and failure events to help trace when problems occur.<\/p>\n
      Do not reveal sensitive information in error responses from the website, including system details, application versions or account information.<\/p>\n
      Below is the Nodejs code using the Express.js framework.<\/p>\n
      + Correct program<\/strong><\/p>\n
      const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> winston = require<\/span>('winston'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\n\/\/ Set up logger<\/span> \r\nconst<\/span> logger = winston.createLogger<\/span>({ \r\n  level<\/span>: 'info'<\/span>, \r\n  format<\/span>: winston.format<\/span>.simple<\/span>(), \r\n  transports<\/span>: [ \r\n    new<\/span> winston.transports<\/span>.Console<\/span>(), \r\n    new<\/span> winston.transports<\/span>.File<\/span>({ filename<\/span>: 'error.log'<\/span>, level<\/span>: 'error'<\/span> }) \r\n  ] \r\n}); \r\n \r\n\/\/ Middleware for error handling<\/span>\r\napp.use<\/span>((err, req, res, next<\/span>) =><\/span> { \r\n  logger.error<\/span>(err.stack<\/span>); \r\n  res.status<\/span>(500<\/span>).json<\/span>({ error<\/span>: 'An error occurred.'<\/span> }); \r\n}); \r\n \r\n\/\/ Route has caused an error<\/span>\r\napp.get<\/span>('\/error'<\/span>, (req, res, next<\/span>) =><\/span> { \r\n  const<\/span> error = new<\/span> Error<\/span>('message error'<\/span>); \r\n  next<\/span>(error); \r\n});\r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
      In the above example, we used the winston library to create the logger and set up the logger to log error information and store it in the “error.log” file. The route \/error is used to illustrate the occurrence of an error. In this route, we generate an arbitrary error and call the next() function to pass the error to the error handling middleware. Using a logger makes it easier for us to manage our application.<\/p>\n
      + Wrong program<\/strong><\/p>\n
      const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\n\/\/ Middleware for error handling<\/span>\r\napp.use<\/span>((err, req, res, next<\/span>) =><\/span> { \r\n  res.status<\/span>(500<\/span>).json<\/span>({ error<\/span>: 'An error occurred.'<\/span> }); \r\n}); \r\n \r\n\/\/ Route has caused an error<\/span> \r\napp.get<\/span>('\/error'<\/span>, (req, res, next<\/span>) =><\/span> { \r\n const<\/span> error = new<\/span> Error<\/span>('message error'<\/span>); \r\n next<\/span>(error); \r\n});\r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
      In the above example, do not use the winston library to create loggers and to log errors when they occur. When the program has a certain error problem, it is very difficult to investigate and fix.<\/p>\n
      Data Protection<\/h3>\n
      Turn off autocomplete username and password features in the browser.<\/p>\n
      Do not send sensitive information in HTTP GET request parameters such as username, password, token, session_id, etc.<\/p>\n
      Remove all unnecessary comments in the source code as comments may contain user or database access information or may reveal other sensitive system information.<\/p>\n
      Decentralize accounts according to the correct function to help limit unauthorized access or mistakenly cause data loss.<\/p>\n
      Protect the server-side source code from being downloaded by users by decentralizing the source code directory, not revealing the source code and the source code storage path.<\/p>\n
      Implement appropriate access controls for sensitive data stored on the server.<\/p>\n
      Disable client-side caching on pages that contain usable sensitive information: Cache-Control: no-store in the HTTP header.<\/p>\n
      Below is the Nodejs code using the Express.js framework.<\/p>\n
      + Correct program<\/strong><\/p>\n
      const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\n\/\/ Search user\r\napp.get<\/span>('\/user?name=test&email=test@gmail.com'<\/span>, async (req, res<\/span>) =><\/span> { \r\n const result = await userService.userSearch(req.query<\/span>);\r\n return<\/span> res.status<\/span>(200<\/span>).json(result);<\/span>\r\n}); \r\n\r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
      In the above example, the \/user route will search for the user by name and email and return the corresponding results. This name and email information are not sensitive information so you can search normally.<\/p>\n
      + Wrong program<\/strong><\/p>\n
      const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n\r\n\/\/ Search user\r\napp.get<\/span>('\/user?password=test123&email=test@gmail.com'<\/span>, async (req, res<\/span>) =><\/span> { \r\n const result = await userService.userSearch(req.query<\/span>);\r\n return<\/span> res.status<\/span>(200<\/span>).json(result);<\/span>\r\n}); \r\n\r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
      In the above example, the \/user route will search for users by password and email and return the corresponding results. Because passwords are sensitive information, this case violates security.<\/p>\n
      Communication Security<\/h3>\n
      Make sure the HTTP referer does not contain sensitive information such as session_id, token, etc. Make sure these parameters are filtered from the HTTP referer before accessing another website.<\/p>\n
      When external systems make connections and access information to our systems, we need to ensure that there is a TLS connection.<\/p>\n
      Implement encryption to transmit all sensitive information using TLS for transmission encryption to help protect the connection<\/p>\n
      It is necessary for the website to always use a TLS connection for all content that requires authenticated access and for all access operations.<\/p>\n
      The UTF-8 encoded character set can be used for encoding connections.<\/p>\n
      Below is the Nodejs code using the Express.js framework.<\/p>\n
      + Correct program<\/strong><\/p>\n
      const https = require('https'); \r\nconst fs = require('fs'); \r\nconst express = require('express'); \r\nconst<\/span> port = 443<\/span>; \r\nconst app = express(); \r\n  \r\napp.get<\/span>('\/secure'<\/span>, (req, res<\/span>) =><\/span> {\r\n  console.log('Data is transmitted securely.');<\/span>\r\n\u00a0 res.redirect('https:\/\/example.com'); \r\n});\r\n \r\n\/\/ Create server HTTPS\r\nhttps.createServer({\r\n key: fs.readFileSync('\/path\/to\/private-key.pem'), \r\n cert: fs.readFileSync('\/path\/to\/certificate.pem')\r\n}, app).listen(port);<\/pre>\n
      In the above example, we used the https module to create a server using the HTTPS protocol. When a user accesses the \/secure route, data is securely transmitted over HTTPS and redirected to a https:\/\/example.com domain, ensuring that information cannot be stolen or modified during the transmission and that HTTP referers do not contain sensitive information.<\/p>\n
      + Wrong program<\/strong><\/p>\n
      const https = require('https'); \r\nconst fs = require('fs'); \r\nconst express = require('express'); \r\nconst<\/span> port = 443<\/span>; \r\nconst app = express(); \r\n \r\napp.get<\/span>('\/secure?session_id=xxx'<\/span>, (req, res<\/span>) =><\/span> { \r\n\u00a0 res.redirect('https:\/\/example.com'); \r\n});\r\n \r\n\/\/ Create server HTTPS\r\nhttps.createServer({\r\nkey: fs.readFileSync('\/path\/to\/private-key.pem'), \r\ncert: fs.readFileSync('\/path\/to\/certificate.pem')\r\n}, app).listen(port);<\/pre>\n
      In the above example, when a user accesses the \/secure route, it will redirect to a domain https:\/\/example.com. This time the HTTP referer contains sensitive information called session_id and can be accessed from the domain https:\/\/example.com.<\/p>\n
      System Configuration<\/h3>\n
      It is necessary to have a source code management system, version history, change history, and change log of all components in the system to manage easily and limit security risks.<\/p>\n
      The dev, test, and production environments need to be set up to isolate and not share resources and databases. Helps to control data well as well as avoid the risk of attacking the test system and then attacking the production system.<\/p>\n
      Removing unnecessary information from the HTTP response related to the operating system, web server version, debug information or source code helps prevent attackers from collecting and serves as the basis for deeper attacks on the website.<\/p>\n
      Remove test or debug code from the source code or any non-production functionality before deploying.<\/p>\n
      It is necessary to turn off the Directory listing function on the webserver to help limit the disclosure of sensitive files, files containing important information.<\/p>\n
      Make sure the server, OS, framework, and system components are using a secure version with no vulnerabilities, preferably the latest version.<\/p>\n
      Ensure the server, OS, framework, and system components are always updated with security patches from the developer to prevent hackers from exploiting publicly available security exploits.<\/p>\n
      Below is the Nodejs code using the Express.js framework.<\/p>\n
      + Correct program<\/strong><\/p>\n
      const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\n\/\/ Read environment variables for database configuration<\/span>\r\nconst<\/span> dbConfig = { \r\n  host<\/span>: process.env<\/span>.DB_HOST<\/span>, \r\n  username<\/span>: process.env<\/span>.DB_USERNAME<\/span>, \r\n  password<\/span>: process.env<\/span>.DB_PASSWORD<\/span>, \r\n  database<\/span>: process.env<\/span>.DB_DATABASE<\/span>'<\/span> \r\n}; \r\n \r\n\/\/ Make a database connection<\/span>\r\nfunction<\/span> connectToDatabase<\/span>(config<\/span>) { \r\n  \/\/ Write the code to connect to the database here<\/span>\r\n} \r\n \r\nconnectToDatabase<\/span>(dbConfig); \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
      In the above example, we used environment variables to store database configuration information such as DB_HOST, DB_USERNAME, DB_PASSWORD, and DB_DATABASE. By using environment variables, we can easily adjust the system’s configuration without modifying the source code and help reduce the risk of revealing important information such as passwords in the source code, creating favorable conditions for more secure deployment and configuration management.<\/p>\n
      + Wrong program<\/strong><\/p>\n
      const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n\r\nconst<\/span> dbConfig = { \r\n host<\/span>: 'host', \r\n username<\/span>: 'username', \r\n password<\/span>: 'password', \r\n database<\/span>: 'database'<\/span> \r\n}; \r\n\r\n\/\/ Make a database connection<\/span>\r\nfunction<\/span> connectToDatabase<\/span>(config<\/span>) { \r\n \/\/ Write the code to connect to the database here<\/span>\r\n} \r\n\r\nconnectToDatabase<\/span>(dbConfig); \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
      In the above example, we do not use environment variables to store database configuration information but write the value directly in the code. If written this way, when adjusting the system configuration, the source code will be modified and there is a risk of revealing important information such as passwords in the source code, making it difficult to manage configuration and deploy safely.<\/p>\n
      Database Security<\/h3>\n
      Each account connected to the database needs to be clearly and separately authorized according to its functions, tasks, and permissions.<\/p>\n
      Default accounts, unused accounts for system requirements need to be removed from the system.<\/p>\n
      Close the database if it is no longer accessible.<\/p>\n
      Database connection strings need to be stored in separate config files and should be securely encrypted using strong encryption algorithms.<\/p>\n
      The account\/password to access the database should be strong enough, not using default or easily guessed credentials.<\/p>\n
      The database needs to run with the user with the lowest privileges, is clearly decentralized, and can only access certain databases to help prevent attacks and data exploitation of other databases.<\/p>\n
      Need to validate the input data before executing the query.<\/p>\n
      Using parameters for SQL query statements keeps the query and data separate. Instead of string concatenation in the SQL query, parameters are passed through variables. This helps prevent SQL Injection errors when users pass in malicious data.<\/p>\n
      Below is the Nodejs code using the Express.js framework.<\/p>\n
      + Correct program<\/strong><\/p>\n
      const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> mysql = require<\/span>('mysql'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\n\/\/ Connect to the database<\/span>\r\nconst<\/span> db = mysql.createConnection<\/span>({ \r\n  host<\/span>: 'localhost'<\/span>, \r\n  user<\/span>: 'username'<\/span>, \r\n  password<\/span>: 'password'<\/span>, \r\n  database<\/span>: 'mydb'<\/span> \r\n}); \r\n \r\ndb.connect<\/span>(err<\/span> =><\/span> {\r\n  if<\/span> (err) {\r\n    console<\/span>.error<\/span>('Database connection error:'<\/span>, err); return<\/span>; \r\n  } \r\n  console<\/span>.log<\/span>('Connected to the database.'<\/span>); \r\n}); \r\n \r\napp.use<\/span>(express.json<\/span>()); \r\n \r\n\/\/ Create a new book<\/span> \r\napp.post<\/span>('\/book'<\/span>, (req, res<\/span>) =><\/span> { \r\n  const<\/span> { title, author } = req.body<\/span>; \r\n  const<\/span> query = 'INSERT INTO books (title, author) VALUES (?, ?)'<\/span>; \r\n  db.query<\/span>(query, [title, author], (err, result<\/span>) =><\/span> { \r\n    if<\/span> (err) { \r\n      return<\/span> res.status<\/span>(500<\/span>).json<\/span>({ error<\/span>: 'An error occurred.'<\/span> }); \r\n    } \r\n    return<\/span> res.status<\/span>(201<\/span>).json<\/span>({ message<\/span>: 'Created successfully.'<\/span> }); \r\n  }); \r\n}); \r\n \r\n\/\/ Get the list<\/span>\r\napp.get<\/span>('\/book'<\/span>, (req, res<\/span>) =><\/span> { \r\n  const<\/span> query = 'SELECT * FROM books where title = ?'<\/span>; \r\n  db.query<\/span>(query, [title],(err, result<\/span>) =><\/span> { \r\n    if<\/span> (err) { \r\n      return<\/span> res.status<\/span>(500<\/span>).json<\/span>({ error<\/span>: 'An error occurred.'<\/span> }); \r\n    } \r\n    return<\/span> res.status<\/span>(200<\/span>).json<\/span>(result); \r\n  }); \r\n}); \r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
      In the above example, we use the mysql library to connect and manipulate the MySQL database. To ensure security in SQL queries, we use parameters for SQL query statements. This helps prevent SQL injection attacks by preventing users from passing malicious data into SQL queries.<\/p>\n
      + Wrong program<\/strong><\/p>\n
      const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> mysql = require<\/span>('mysql'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\n\/\/ Connect to the database<\/span> \r\nconst<\/span> db = mysql.createConnection<\/span>({ \r\n host<\/span>: 'localhost'<\/span>, \r\n user<\/span>: 'username'<\/span>, \r\n password<\/span>: 'password'<\/span>, \r\n database<\/span>: 'mydb'<\/span> \r\n}); \r\n \r\ndb.connect<\/span>(err<\/span> =><\/span> {\r\n if<\/span> (err) {\r\n   console<\/span>.error<\/span>('Database connection error:'<\/span>, err); return<\/span>; \r\n } \r\n console<\/span>.log<\/span>('Connected to the database.'<\/span>); \r\n}); \r\n \r\napp.use<\/span>(express.json<\/span>()); \r\n \r\n\/\/ Create a new book<\/span> \r\napp.post<\/span>('\/book'<\/span>, (req, res<\/span>) =><\/span> { \r\n const<\/span> { title, author } = req.body<\/span>; \r\n const<\/span> query = 'INSERT INTO books (title, author) VALUES (title, author)'<\/span>; \r\n db.query<\/span>(query, (err, result<\/span>) =><\/span> { \r\n   if<\/span> (err) { \r\n     return<\/span> res.status<\/span>(500<\/span>).json<\/span>({ error<\/span>: 'An error occurred.'<\/span> }); \r\n   } \r\n   return<\/span> res.status<\/span>(201<\/span>).json<\/span>({ message<\/span>: 'Created successfully.'<\/span> }); \r\n }); \r\n}); \r\n \r\n\/\/ Get the list<\/span>\r\napp.get<\/span>('\/book'<\/span>, (req, res<\/span>) =><\/span> { \r\n const<\/span> query = 'SELECT * FROM books where title =' + title<\/span>; \r\n db.query<\/span>(query, (err, result<\/span>) =><\/span> { \r\n   if<\/span> (err) { \r\n     return<\/span> res.status<\/span>(500<\/span>).json<\/span>({ error<\/span>: 'An error occurred.'<\/span> }); \r\n   } \r\n   return<\/span> res.status<\/span>(200<\/span>).json<\/span>(result); \r\n }); \r\n}); \r\n\r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
      In the above example, instead of using the parameter passed to the SQL query, we are concatenating the string in the SQL query. This will suffer from SQL injection attacks.<\/p>\n
      File Management<\/h3>\n
      It is recommended to make file directory permissions:\u00a0read-only\u00a0to avoid unauthorized modifications from attackers<\/p>\n
      Do not return the absolute path (Example: \/var\/www\/html\/uploads\/test.jpg) because the attacker can know the absolute path of the website from which to attack other vulnerabilities. Returns only the file name or directory path containing the file (\/uploads\/test.jpg)<\/p>\n
      Do not store files with the server running the web service. Do file storage on a separate server or use a 3rd party file storage service like Amazon S3.<\/p>\n
      Limit the types of files (header files) that are allowed to be uploaded to the server. For the upload function, it is necessary to whitelist the uploaded file headers that match the functional requirements (For example the avatar upload function only allows Content-types: image\/jpeg and image\/png).<\/p>\n
      Authentication is required before the user can perform the upload. User authentication helps to limit the unauthorized upload of malicious files as well as serves the process of tracking users when an attack occurs.<\/p>\n
      Limit the file types (extension files) allowed to upload to the server. For the upload function, it is necessary to whitelist the uploaded files that match the functional requirements (For example the avatar upload function only allows: png and jpg).<\/p>\n
      Use a virus scanner to check user-uploaded files. This helps to remove malicious files and viruses that users upload.<\/p>\n
      Below is the Nodejs code using the Express.js framework.<\/p>\n
      + Correct program<\/strong><\/p>\n
      const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> fs = require<\/span>('fs'<\/span>); \r\nconst<\/span> path = require<\/span>('path'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>; \r\n \r\napp.use<\/span>(express.json<\/span>()); \r\napp.use<\/span>(express.static<\/span>('public'<\/span>)); \r\n \r\n\/\/ Download file<\/span> \r\napp.get<\/span>('\/download\/:filename'<\/span>, (req, res<\/span>) =><\/span> { \r\n  const requestedFile = req.params.filename;<\/span> \r\n  if (!\/^[a-zA-Z0-9._-]+$\/.test(requestedFile <\/span>)) { \r\n    return res.status(400).send('filename is not valid'); \r\n  }\r\n  \r\n  const filePath = path.join(__dirname, 'uploads', requestedFile);\r\n  if<\/span> (!fs.existsSync<\/span>(filePath)) { \r\n    return<\/span> res.status<\/span>(404<\/span>).json<\/span>({ error<\/span>: 'File does not exist.'<\/span> }); \r\n  } \r\n \r\n  const<\/span> fileStream = fs.createReadStream<\/span>(filePath); \r\n  res.setHeader<\/span>('Content-Disposition'<\/span>, `attachment; filename=${requestedFile}<\/span>`<\/span>); \r\n  fileStream.pipe<\/span>(res); \r\n});\r\n \r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
      In the above example, when downloading the file, we use the res.setHeader() method to set the “Content-Disposition” header in the HTTP response. This specifies that the file will be downloaded as an attachment with the specified filename. When using such an attachment, the user will receive the file without knowing its absolute path on the server. This helps protect information about system architecture and prevents attacks based on knowing the absolute file path.<\/p>\n
      + Wrong program<\/strong><\/p>\n
      const<\/span> express = require<\/span>('express'<\/span>); \r\nconst<\/span> fs = require<\/span>('fs'<\/span>);\r\nconst<\/span> path = require<\/span>('path'<\/span>); \r\nconst<\/span> app = express<\/span>(); \r\nconst<\/span> port = 3000<\/span>;\r\n \r\napp.use<\/span>(express.static<\/span>('public'<\/span>));\r\n \r\n\/\/ Download file<\/span> \r\napp.get<\/span>('\/download\/:filename'<\/span>, (req, res<\/span>) =><\/span> { \r\n  const requestedFile = req.params<\/span>.filename<\/span>; \r\n  const filePath = path.join<\/span>(__dirname, 'uploads'<\/span>, requestedFile); \r\n  if (!fs.existsSync<\/span>(filePath)) { \r\n    return res.status<\/span>(404<\/span>).json<\/span>({ error<\/span>: 'File does not exist.'<\/span> }); \r\n  } \r\n \r\n  res.download<\/span>(filePath, requestedFile, err<\/span> =><\/span> { \r\n    if (err) { \r\n      console<\/span>.error<\/span>('Error downloading file:'<\/span>, err); \r\n      return res.status<\/span>(500<\/span>).json<\/span>({ error<\/span>: 'An error occurred.'<\/span> }); \r\n    } \r\n  });<\/span>\r\n});\r\n\r\napp.listen<\/span>(port, () =><\/span> {  console<\/span>.log<\/span>(`Server running ${port}<\/span>`<\/span>); });<\/pre>\n
      In the above example will return the absolute path of the file.<\/p>\n
      Common attack errors and prevention methods<\/h2>\n
      SQL Injection<\/h3>\n
      SQL Injection is a technique that takes advantage of the query vulnerabilities of applications. It is executed <\/span>by injecting <\/span>a SQL snippet to falsify the original query, thereby exploiting<\/span> data from the database, creating <\/span>errors, or damaging the system’s data.<\/p>\n
      For example, we have a function like this:<\/p>\n
      const getUserByUserName = (userName: string) => {\r\n\r\n const query = 'SELECT * FROM Users WHERE userName = \u2019 + userName;\r\n\r\n return query.excute();\r\n\r\n}<\/pre>\n
      When the user transmission userName = ‘abc’ or ‘1’=’1′, the SQL statement will look like this:<\/p>\n
      SELECT * FROM Users WHERE userName = 'abc' or '1'='1';<\/pre>\n
      With this SQL statement is always true and returns all information in the Users table.<\/p>\n
      In another case, the user transmission userName = ‘abc’; DROP TABLE Users; the SQL statement would look like this:<\/p>\n
      SELECT* FROM Users WHERE userName = 'abc';\r\nDROP TABLE Users;<\/pre>\n
      With this command, the Users table will be deleted, and very dangerous.<\/p>\n
      Prevention<\/strong><\/p>\n
        \n
      1. Check user input: Regular Expression can be used to remove strange characters or characters other than numbers and letters.<\/li>\n
      2. Do not concatenate <\/span>strings to generate SQL: Use parameters instead of string concatenation<\/span>. If the input data is not legal, SQL Engine will automatically report an error, we do not need to use code to check.<\/li>\n
      3. Limit writing pure SQL, should use the ORM (Object-Relational Mapping) framework library, this framework will generate SQL statements by itself, so it will be safer.<\/li>\n<\/ol>\n
        Cross-Site Scripting (XSS)<\/h3>\n
        Cross-Site Scripting (XSS) is a common form of malicious code attack. Hackers will take advantage of vulnerabilities in web security to insert scripts to execute them on the client side. Typically, XSS attacks are used to bypass access and impersonate users. The main purpose of this attack is to steal user’s identifying data such as cookies, session tokens, and other information.<\/p>\n
        There are 3 main types of XSS attacks as follows:<\/p>\n
          \n
        1. Reflected XSS\n