π¦ ClawHub
Node.js Security Audit
by @npfaerber
Audit Node.js HTTP servers and web apps for security vulnerabilities. Checks OWASP Top 10, CORS, auth bypass, XSS, path traversal, hardcoded secrets, missing...
TERMINAL
clawhub install nodejs-security-auditπ About This Skill
name: nodejs-security-audit description: Audit Node.js HTTP servers and web apps for security vulnerabilities. Checks OWASP Top 10, CORS, auth bypass, XSS, path traversal, hardcoded secrets, missing headers, rate limiting, and input validation. Use when reviewing server code before deployment or after changes.
Node.js Security Audit
Structured security audit for Node.js HTTP servers and web applications.
Audit Checklist
Critical (Must Fix Before Deploy)
Hardcoded Secrets
grep -rn "password\|secret\|token\|apikey\|api_key" --include="*.js" --include="*.ts" | grep -v node_modules | grep -v "process.env\|\.env"if (!process.env.SECRET) process.exit(1);XSS in Dynamic Content
innerHTML, template literals injected into DOM, unsanitized user input in responsestextContent, or escape: str.replace(/[&<>"']/g, c => ({'&':'&','<':'<','>':'>','"':'"',"'":"'"}[c]))SQL/NoSQL Injection
eval(), Function() with user inputHigh (Should Fix)
CORS Misconfiguration
Access-Control-Allow-Origin: *const origin = ALLOWED.has(req.headers.origin) ? req.headers.origin : ALLOWED.values().next().valueAuth Bypass
Path Traversal
path.normalize() + startsWith(allowedDir) on all file-serving routesfs.realpathSync() and re-checkMedium (Recommended)
Security Headers
const HEADERS = {
'X-Frame-Options': 'SAMEORIGIN',
'X-Content-Type-Options': 'nosniff',
'Referrer-Policy': 'strict-origin-when-cross-origin',
'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
};
// Apply to all responses
Rate Limiting
const attempts = new Map(); // ip -> { count, resetAt }
const LIMIT = 5, WINDOW = 60000;
function isLimited(ip) {
const now = Date.now(), e = attempts.get(ip);
if (!e || now > e.resetAt) { attempts.set(ip, {count:1, resetAt:now+WINDOW}); return false; }
return ++e.count > LIMIT;
}
Input Validation
if (bodySize > 1048576) { req.destroy(); return; }Low (Consider)
Dependency Audit: npm audit
Error Leakage: Don't send stack traces to clients in production
Cookie Security: HttpOnly; Secure; SameSite=Strict
Report Format
## Security Audit: [filename]Critical
1. [Category] Description β File:Line β Fix: ...High
...Medium
...Low
...Summary
X critical, X high, X medium, X low