In addition, a template of an API-Rest with the implemented security options is available at the following link:

此外，以下链接提供了带有已实现的安全性选项的API-Rest模板：

Before starting to develop any kind of application, either in Node.js or any other programming environment, we must ensure that we have updated all the libraries and frameworks that we are going to use to their latest stable version (except for those where we need a specific version).

在开始在Node.js或任何其他编程环境中开发任何类型的应用程序之前，我们必须确保已将要使用的所有库和框架更新到其最新的稳定版本(需要的库和框架除外)特定版本)。

Periodically updating the environment in which we work is crucial since a chain is only as strong as its weakest link.

定期更新我们的工作环境至关重要，因为一条链的力量与其最薄弱的环节一样牢固。

使用NPM管理软件包版本 (Managing Package Versions With NPM)

To make sure that we are not using an unused version of Node.js, we can use their official website.

为确保我们未使用未使用的Node.js版本，我们可以使用其官方网站。

To manage the packages we are using in a project, we can use NPM:

要管理我们在项目中使用的软件包，可以使用NPM：

使用TLS(传输层安全性) (Use TLS (Transport Layer Security))

The HTTPS protocol is a direct implementation of TLS encryption over the HTTP protocol used in web services and applications.

HTTPS协议是在Web服务和应用程序中使用的HTTP协议之上的TLS加密的直接实现。

To be able to use HTTPS in our application in Node.js and Express, we need a certificate that verifies our authorship.

为了能够在Node.js和Express中的应用程序中使用HTTPS，我们需要一个可验证作者身份的证书。

Let’s Encrypt is an open certificate authority (CA) that we can use for free (most of them are paid).

让我们加密是一个开放的证书颁发机构(CA)，我们可以免费使用它(大多数是付费的)。

Use HTTPS in Express.js:

在Express.js中使用HTTPS：

当心HTTP默认头 (Beware of HTTP Default Headers)

When making an application with Node.js and Express, an HTTP header called X-Powered-By: Express is added. It can be a vector for attacks on our application since knowing which technologies are being used makes the work of the attacker much easier.

使用Node.js和Express制作应用程序时，一个名为X-Powered-By: Express的HTTP标头被添加。它可以成为攻击我们应用程序的媒介，因为知道使用了哪些技术可以使攻击者的工作变得更加容易。

There is a package for Express called Helmet that allows us to modify the headers we want our application to display as well as remove the default X-Powered-By header.

Express有一个名为Helmet的软件包这使我们能够修改希望应用程序显示的标头，并删除默认的X-Powered-By标头。

First, run:

第一次运行：

npm i helmet

By default, Helmet has the following options enabled:

默认情况下，头盔启用以下选项：

dnsPrefetchControl controls browser DNS prefetching.
dnsPrefetchControl控制浏览器DNS预取。
frameguard to prevent clickjacking.
防止点击劫持的frameguard 。
hidePoweredBy to remove the X-Powered-By header.
hidePoweredBy删除X-Powered-By标头。
hsts for HTTP Strict Transport Security.
HTTP严格传输安全性的hsts 。
ieNoOpen sets X-Download-Options for IE8+.
ieNoOpen设置IE8 +的X-Download-Options。
noSniff to keep clients from sniffing the MIME type.
noSniff阻止客户端嗅探MIME类型。
xssFilter adds some small XSS protections.
xssFilter添加了一些小的XSS保护。

限制请求以避免蛮力攻击 (Limit Requests to Avoid Brute-Force Attacks)

Brute-force and DDoS attacks are very common on the web and can impact our application.

蛮力攻击和DDoS攻击在Web上非常普遍，可能会影响我们的应用程序。

For Express and Node.js, there are several packages that allow us to limit the number of accesses that a certain IP address or user produces to certain routes and block their access for a while.

对于Express和Node.js，有几个软件包可以使我们将某个IP地址或用户对某些路由的访问次数进行限制，并暂时阻止其访问。

In this case, we will explain how the express-rate-limit package works.

在这种情况下，我们将说明 express-rate-limit包裹工程。

First, run:

第一次运行：

npm i express-rate-limit

代币和饼干 (Tokens and Cookies)

If we are going to develop an API-Rest, we recommend the use of JWT (JsonWebToken) instead of cookies since APIs are also used today by much simpler HTTP clients than traditional web browsers that do not support cookies natively.

如果我们要开发API-Rest，则建议使用JWT (JsonWebToken)代替Cookie，因为与不支持本机Cookie的传统Web浏览器相比，如今的HTTP客户端使用的API更为简单。

In case our application requires the use of cookies for session management, to ensure that cookies do not open the application for attacks, do not use the default session cookie name and set the cookie security options correctly.

如果我们的应用程序需要使用cookie进行会话管理，以确保cookie不会打开应用程序以进行攻击，请不要使用默认的会话cookie名称并正确设置cookie安全性选项。

For Node.js, there are two main cookie session modules:

对于Node.js，有两个主要的cookie会话模块：

The main difference between the two modules is how they save session data from cookies. The express-session middleware stores session data on the server. It only stores the session ID in the cookie itself — not the session data.

这两个模块之间的主要区别在于它们如何保存cookie中的会话数据。快速会话中间件将会话数据存储在服务器上。它仅将会话ID存储在cookie本身中，而不存储会话数据。

The cookie-session middleware, on the other hand, implements cookie-based storage: It serializes the entire session in the cookie rather than just a session key.

另一方面，cookie会话中间件实现了基于cookie的存储：它序列化了cookie中的整个会话，而不仅仅是序列密钥。

Here’s an example of renaming the session cookie with express-session:

这是一个使用express-session重命名会话cookie的示例：