I am working on an application that uses socket.io, express-js, node-js, and react-js. After reading this, I definitely want to stay as secure as possible, with the best performance in mind. I was considering using socket.io to send information (login details) to the server from the client using socket.emit. The main concern is if these details will be able to be sniffed (seen) by an outside (third) party. Not only that, but that if this method is a bad idea, what would be the best choice to implement for security and maintain the least back-end work (server load). Also are cookies (express-session cookies) secure when using HTTPS?
(NOTE every question applies to HTTPS being implemented).
Thanks for the help.
0
votes
1 Answers
1
votes
You need to do a server side validation for any user input like username, password, etc. Any man-in-the-middle (MITM) attack will be taken care by HTTPS (just make sure you are using latest SSL/TLS version). These sniffing attacks are difficult to perform, person needs to be in your network. To make cookies secure use 'HTTP-Only' and 'secure' cookie flags. You can read more about data validation here - https://www.owasp.org/index.php/Data_Validation. For more info on cookie flags - https://resources.infosecinstitute.com/securing-cookies-httponly-secure-flags/
One more thing make sure you use parameterized queries for any database transaction through your code to avoid SQL Injection.
I hope this helps.
