Q1. What are common security threats to Express apps?
Common threats include: Injection (SQL/NoSQL), Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), broken authentication, sensitive data exposure, and security misconfigurations. Understanding these helps in applying proper protections.
Q2. How do you prevent XSS attacks in Express?
Sanitize user input and escape output. Use helmet middleware to set security headers. For templates, use engines that auto-escape (EJS escapes by default). Set httpOnly cookies to prevent JavaScript access. Validate and sanitize all user inputs.
Q3. How do you prevent CSRF attacks?
Use CSRF tokens. For state-changing requests, include a unique token that the server validates. The csurf middleware can help. Also, use sameSite cookie attribute. For APIs, ensure proper CORS configuration and use token-based auth.
Q4. What is helmet and how does it help?
Helmet is a middleware that sets various HTTP headers to secure your app. It helps prevent XSS, clickjacking, MIME sniffing, and other attacks. Example: app.use(require('helmet')()). It's easy to use and follows security best practices.
Q5. How do you securely manage environment variables?
Use .env files with the dotenv package for development. Never commit .env to version control. In production, set environment variables through your hosting platform. Keep secrets like database passwords, JWT secrets, and API keys in environment variables.