Ubuntu下Node.js安全加固实践
sudo apt update && sudo apt upgrade -y修补系统和软件包漏洞;安装unattended-upgrades实现自动更新,降低长期未修复漏洞的风险。curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh | bash安装nvm,用nvm install --lts安装最新稳定版,用nvm use --lts切换版本,灵活应对安全更新。deploy)并加入sudo组:sudo adduser deploy && sudo usermod -aG sudo deploy;通过sudo -u deploy以非root用户启动Node.js应用,限制权限滥用。sudo aa-status查看状态,编辑/etc/apparmor.d/abstractions/node或自定义Profile,限制对/etc、/root等敏感目录的访问。certbot获取),配置Node.js服务器监听443端口,示例代码:const https = require('https');
const fs = require('fs');
const options = { key: fs.readFileSync('/etc/letsencrypt/live/example.com/privkey.pem'), cert: fs.readFileSync('/etc/letsencrypt/live/example.com/fullchain.pem') };
https.createServer(options, (req, res) => res.end('Secure connection')).listen(443);
express-validator验证用户输入(如表单字段长度、格式),用DOMPurify清理HTML内容,防止XSS、SQL注入等攻击,示例:const { body, validationResult } = require('express-validator');
app.post('/submit', [
body('email').isEmail().withMessage('Invalid email'),
body('comment').trim().escape()
], (req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) return res.status(400).json({ errors: errors.array() });
// 处理合法输入
});
X-Frame-Options防点击劫持、X-XSS-Protection启浏览器XSS过滤、Content-Security-Policy限制资源加载,示例:const helmet = require('helmet');
app.use(helmet({
frameguard: { action: 'deny' },
xssFilter: { setOnOldIE: true }
}));
npm audit扫描项目依赖中的已知漏洞,运行npm audit fix自动修复可修复漏洞;结合Snyk等第三方工具深度检测(如开源组件漏洞)。eval()、setTimeout(string)等可执行动态代码的函数,防止代码注入攻击;使用lodash等安全库替代原生危险方法。sudo ufw allow 22/tcp
sudo ufw allow 443/tcp
sudo ufw enable
express-ipfilter),仅允许信任IP访问API,示例:const ipfilter = require('express-ipfilter').IpFilter;
const ips = ['192.168.1.100', '10.0.0.1'];
app.use(ipfilter(ips, { mode: 'allow' }));
winston或bunyan记录应用日志(如请求、错误),将日志发送到集中式平台(如ELK、Splunk);定期检查系统日志(/var/log/syslog)和Node.js日志,监控异常行为(如大量404请求、未授权访问)。