Photo by FLY:D on Unsplash

How to secure your web application - Part I

Web Security Cybersecurity and web protection - Photo by FLY:D on Unsplash

It’s is a dangerous world out there! 🀯 😱 πŸ™€ Yes, it’s true!

Take a look at this article: Amazon says it mitigated the largest DDoS attack ever recorded

And I have personally experienced a systematic bot attack while working on my new web application. So thought to share with you all and it may help someone out there.

What I am working on? πŸ˜ƒ πŸ˜ƒ πŸ˜ƒ

  • A NodeJS Backend Application
    • An app to handle user requests and perform certain actions based on the user requests
    • Connected to a arangodb instance
    • Exposed REST APIs via express.js
  • A ReactJS Frontend Application
    • An admin dashboard to perform administrator tasks
  • Few other micro-services built on NodeJS
    • Backup database on regular basis - cronjob
    • Send email notifications on regaulr basis - cronjob
    • Etc.

I won’t say it’s a highly sophisticated application. But it has its complexities.

Where it hosted? πŸ˜ƒ πŸ˜ƒ πŸ˜ƒ

I have hosted the application on Amazon Web Services - AWS - Provisioned an EC2 instance with all the dependencies - Using PM2 carry out application process management

This was my setup.

What happened? 😱 😱 😱

After setting up everything I have carried some sanity tests, it all went well. But after a week noticed that everyday morning the server is throwing 503 - Service Unavailable. error. And there is the only person who is actively accessing the resources and it was me. I started thinking πŸ€” πŸ€” πŸ€” How come this is happening.

Then started analyzing the logs via pm2

pm2 logs --format

Then I realized some bad bots are attacking my web application regularly. Thus making my web application to crash at some point.

Badddddd!!! πŸ₯Ί

Then I started thinking of making changes to my setup to handle the attacks.

How I tackled it? 😎 😎 😎

I have tackled the attack at different levels.

  • Application Level - Added rate liming using the rate limiter library

    • Rate limiting is a very powerful feature for securing backend APIs from malicious attacks and for handling unwanted streams of requests from users. In general terms, it allows us to control the rate at which user requests are processed by our server. More info

  • AWS Web Application Firewall

    • AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.
    • AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.
    • You can get started quickly using Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers.
    • The Managed Rules for WAF address issues like the OWASP Top 10 security risks. These rules are regularly updated as new issues emerge. AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of security rules.

Once I have provisioned this service, I have started monitoring the network logs and found the issues in a detailed way.

I have employed AWS Managed Rules - these are predefined rules that can capture common threats. Also added my own specific rules and I have seen the results. πŸ€“ πŸ€“ πŸ€“

AWS WAF Dashboard AWS WAF Dashboard - Photo by FLY:D on Unsplash

AWS WAF pricing was also reasonable and they only charge me under 10$. πŸ€—

Even though this was not enough and I know the security aspects of the application is something that you have to monitor regularly.

Also, I have added some more AWS Services during this period:

  • AWS Certificate Manager to install the HTTPS certificate
  • AWS Route 53 - DNS web Service
  • AWS Autoscaling - AWS Auto Scaling monitors your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost.

Best practices? πŸ‘¨β€πŸ’» πŸ‘¨β€πŸ’» πŸ‘¨β€πŸ’»

  • Add rate-limiting your API resources
  • Adhere to secure programming practices - For NodeJS
  • Install HTTPS certificate
  • Restrict the access to the server via IP filtering for development purpose
  • Provision web application firewall according to the cloud system you are using
  • Enable system level logging and employ process managers
  • Carry out an internal security audit using the https://owasp.org/www-project-top-ten/

To be continued…