Node.js – tools/packages/practices for building a secure,high performance API with quality code

September 17, 2019

Contents
>Code standard and styling >Security >Performance

 

 

 

 

In this article, we will take a look at some important aspects to be considered while developing Node.js applications and the tools/packages/practices that can be used to achieve them. Understanding and using these will help you in building a secure web application that is well structured and well documented and has a very high performance.

Code standard and styling

Tool – Linters(ESLint/JSLint/TSLint)

Linters are static code analyzing tools that check for static code issues like styling errors, poorly structured code and unsafe code. Linters help in implementing a certain set of coding rules and helps in avoiding static errors like an absence of strict type checking, mismatched import or undefined variable usage .Static code analysis is analyzing the code for errors/faults in coding rule implementation before running the code. Dynamic code analysis is performed after the running. The most commonly used styling modules are Airbnb/JavaScript and Github/JavaScript.You have to integrate the linting plugin to the editor you are using(eg – Visual Studio Code/Sublime text). The linter will show linting errors like the following.

 

ESLint and JSLint are used along with JavaScript. TSLint is used with TypeScript.

An example TSLint configuration JSON is as follows. It is stored in tslint.json file

 

Security

Tool – Linters mentioned above

npm packages which provide security rules –  eslint-config-secure/tslint-config-security

These packages can be used to extend ESlint or TSLint so that the linter will be able to check for basic security issues in the code. This helps in identifying basic security issues like detecting chances of SQL injection or detecting unsafe regular expression. Example of security rules are


 

See more on the security rules in the following links to the npm packages

https://www.npmjs.com/package/tslint-config-security  

https://www.npmjs.com/package/eslint-config-secure

The tslint.json file with an updated configuration for security package is as follows

 

Tool – NodeJsScan

NodeJsScan is a static security code scanner for Node.Js applications. This scanner can be used to identify security issues in Node.JS application.

https://github.com/ajinabraham/NodeJsScan

NodeJsScan should be integrated with CI/CD pipeline to check on security issues while raising a pull request. Other alternatives to this amazing tool are Node Security Platform, Source Clear or Snyk.

Practices – npm commands

npm commands  are helpful in managing the packages, updating to  the latest version and keeping up with the security updates if any.

npm outdated  command will check whether installed packages are updated. See more on the usage of this command here

https://docs.npmjs.com/cli/outdated.html

An example result is like the following

npm-check-updates

npm-check-updates is a public package that is used to update outdated packages. It will rewrite your package.json file with the latest version of the packages.

 

npm update with package name will update the individual package

npm audit is a command that identifies whether any vulnerable packages are a part of the dependencies.

npm audit  fix is the command used to fix the vulnerabilities identifies on npm audit.

Read the npm cli documentation here –     https://docs.npmjs.com/cli-documentation/cli

 

Performance analysis

tool – Node Clinic

Node clinic is a tool that would help in diagnosing performance issues in the Node.js applications.NodeJS performance profiling can be also achieved using the built-in profiler.

https://github.com/nearform/node-clinic

 

An example node-clinic generated report is given below

 

For testing the performance of an API with code-clinic, an  HTTP benchmarking tool have to be used. The benchmarking tool widely used along with node-clinic is autocannon. Another option is wrk.

HTTP benchmarking is a process by which an APIs ability to handle heavy workload is estimated.

Read more on  performance analysis using node-clinic here

Sonarqube/Code Climate.

SonarQube and code climate are tools that are used for static analyzing code for quality, identifying bugs and security flaws. These are used in continues integration so that every time code changes have happened continues review is performed on the code.

Besides this proper logging using Winston/Pino logger/Log4Js, Documentation using tools like swagger/Apiary and validation of inputs using packages like Express-Validator/joi validator is necessary for building a quality application

More details regarding the usage of Winston Logger can be found here

https://truetocode.com/logging-in-node-js-express-application-using-winston-logger/

For more information regarding how to use joi validator, refer the following link

https://github.com/hapijs/joi

We are not going to any details about how to use these tools. The intention of this article is to provide information about some of the aspects that should be considered and the tools/packages/approaches that can be used while building a quality application,.You can use any other tools besides the ones mentioned in this application to achieve high-performance, security with quality code.

 

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *