Does a reverse proxy make node.js safe?

Does a reverse proxy make node.js safe?

I want to put node.js on the cloud for an application which has sensitive corporate information. I am afraid node.js is not as secure as some of the older servers since it has not been in the wild a lot. I saw people recommending to use a reverse proxy with it to make it safer. I understand how it is safer since it is not directly exposed to the world. But still, xss and other attacks are possible. From a security perspective only, anyone thinks that node.js is on par with the older servers? Any tips on “how to convince your boss + the corporate security team”?

Solutions/Answers:

Solution 1:

In theory, a reverse proxy wouldn’t pass on any requests that it itself couldn’t process (including those it’s designed to block intentionally).

However, if there were bugs on node.js that would for example make it disclose the contents of certain variables when a request like

GET /x0c/xa0

is received, then the proxy would just pass on that request and relay the answer to the client (attacker).

So there are still risks…

Solution 2:

The way to convince the boss and security teams is to demonstrate that you have thought through the issues and have a reasonable and realistic plan to test them.

In any corporate setting, your proxy will only be a small part of the overall security and that is how the risks are managed.

In order to test something like this, you will need to throw a number of *un*reasonable requests at the proxy. I like juand’s suggestion for example, you should also throw very large requests at the proxy too.

Related:  Reverse proxy not keeping the original domain name

A Node.js proxy should be at least as secure as an Apache or indeed a custom python/c++ proxy as you need only allow it to proxy very specific items.

Solution 3:

Why don’t create hardcore locking proxy on python, c++, etc, which will control access? Every one who pass this proxy is trusted user and node.js works with them.

References