Vue.js is a popular open-source JavaScript framework for building single-page applications and user interfaces. If you’re leveraging this lightweight framework for your apps, here are some security tips to keep in mind during and after development.
Follow Vue.js’ official recommendations
We would be remiss if we didn’t point out that the Vue.js documentation includes a list of security best practices that you should follow. In some cases, Vue.js comes with built-in features to keep you secure (e.g., in cases where you use untrusted templates), but in most cases, it’s up to you to eliminate the use of insecure practices.
Furthermore, the Vue.js style guide features many recommendations, including rule categories they’ve divided into priority levels. At the very least, we recommend that you follow those indicated as essential and strongly recommended.
In general, such recommendations aren’t security-related, strictly speaking. Still, cleaner code makes everything easier to read, more accessible to update, and easier to manage, all of which contribute to making the security-related steps of the software development lifecycle easier.
XSS is still a significant concern, so watch out for common mistakes
XSS is a major problem, especially with apps built using front-end JavaScript frameworks, so many options include XSS protection. However, that doesn’t mean that XSS isn’t possible.
For example, adding query strings directly to the DOM is a no-no that the framework’s security tools may not pick up, yet can be exploited by attackers (and misuse of the v-html directive can be dangerous). Sanitization libraries, such as DOMPurify can help, as well.
Keep your npm packages updated
This isn’t Vue.js-specific, but if you’re using any dependencies in your app, make sure that you keep them up-to-date to get the latest features and security fixes. (You’d be surprised at how many apps there are without updated dependencies, especially those in production that have specific version locks!)
Use a SAST tool to find the vulnerabilities present in your application
There are several ways to identify vulnerabilities present in your application.
You might have a security researcher identify all of the potentially problematic aspects of the application. Or, you might set up bug bounties where interested third parties attack your production application to see what’s vulnerable and what’s not.
There are also static analysis security tools (SAST), which can look for vulnerabilities without having to run the program (and many, such as ShiftLeft’s NG SAST, offer additional features such as configurable build rules that allow you to halt progress if the tool finds specific vulnerabilities or if there are too many vulnerabilities present).
With SAST, you’ll be able to find vulnerabilities quicker and faster than if you had someone doing so manually, which means that this is an effective line of defense against security vulnerabilities.
Conclusion
Keeping an app using Vue.js secure isn’t different from keeping any other app, JavaScript or no, safe. However, the devil is in the details, so we recommend reviewing the official recommendations, keeping dependencies up to date, and leveraging automated tools to find existing vulnerabilities.
AppSec Tips for Vue.js Users was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post AppSec Tips for Vue.js Users appeared first on Security Boulevard.
The post AppSec Tips for Vue.js Users appeared first on Malware Devil.
https://malwaredevil.com/2021/05/21/appsec-tips-for-vue-js-users/?utm_source=rss&utm_medium=rss&utm_campaign=appsec-tips-for-vue-js-users
No comments:
Post a Comment