playbooks

home / skills / openclaw / skills / nodejs-security-audit

nodejs-security-audit skill

/skills/npfaerber/nodejs-security-audit

This skill audits Node.js HTTP servers for security vulnerabilities, covering OWASP Top 10, CORS, auth bypass, XSS, and input validation.

npx playbooks add skill openclaw/skills --skill nodejs-security-audit

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
2.9 KB
---
name: nodejs-security-audit
description: Audit Node.js HTTP servers and web apps for security vulnerabilities. Checks OWASP Top 10, CORS, auth bypass, XSS, path traversal, hardcoded secrets, missing headers, rate limiting, and input validation. Use when reviewing server code before deployment or after changes.
---

# Node.js Security Audit

Structured security audit for Node.js HTTP servers and web applications.

## Audit Checklist

### Critical (Must Fix Before Deploy)

**Hardcoded Secrets**
- Search for: API keys, passwords, tokens in source code
- Pattern: `grep -rn "password\|secret\|token\|apikey\|api_key" --include="*.js" --include="*.ts" | grep -v node_modules | grep -v "process.env\|\.env"`
- Fix: Move to env vars, fail if missing: `if (!process.env.SECRET) process.exit(1);`

**XSS in Dynamic Content**
- Search for: `innerHTML`, template literals injected into DOM, unsanitized user input in responses
- Fix: Use `textContent`, or escape: `str.replace(/[&<>"']/g, c => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":"&#39;"}[c]))`

**SQL/NoSQL Injection**
- Search for: String concatenation in queries, `eval()`, `Function()` with user input
- Fix: Parameterized queries, input validation

### High (Should Fix)

**CORS Misconfiguration**
- Search for: `Access-Control-Allow-Origin: *`
- Fix: Allowlist specific origins: `const origin = ALLOWED.has(req.headers.origin) ? req.headers.origin : ALLOWED.values().next().value`

**Auth Bypass**
- Check: Every route that should require auth actually checks it
- Common miss: Static file routes, agent/webhook endpoints, health checks that expose data

**Path Traversal**
- Check: `path.normalize()` + `startsWith(allowedDir)` on all file-serving routes
- Extra: Resolve symlinks with `fs.realpathSync()` and re-check

### Medium (Recommended)

**Security Headers**
```javascript
const HEADERS = {
  'X-Frame-Options': 'SAMEORIGIN',
  'X-Content-Type-Options': 'nosniff',
  'Referrer-Policy': 'strict-origin-when-cross-origin',
  'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
};
// Apply to all responses
```

**Rate Limiting**
```javascript
const attempts = new Map(); // ip -> { count, resetAt }
const LIMIT = 5, WINDOW = 60000;
function isLimited(ip) {
  const now = Date.now(), e = attempts.get(ip);
  if (!e || now > e.resetAt) { attempts.set(ip, {count:1, resetAt:now+WINDOW}); return false; }
  return ++e.count > LIMIT;
}
```

**Input Validation**
- Body size limits: `if (bodySize > 1048576) { req.destroy(); return; }`
- JSON parse in try/catch
- Type checking on expected fields

### Low (Consider)

**Dependency Audit:** `npm audit`
**Error Leakage:** Don't send stack traces to clients in production
**Cookie Security:** `HttpOnly; Secure; SameSite=Strict`

## Report Format

```
## Security Audit: [filename]

### Critical
1. **[Category]** Description — File:Line — Fix: ...

### High
...

### Medium
...

### Low
...

### Summary
X critical, X high, X medium, X low
```

Overview

This skill audits Node.js HTTP servers and web applications for common security vulnerabilities before deployment. It focuses on OWASP Top 10 issues plus practical checks like CORS, auth bypass, XSS, path traversal, hardcoded secrets, missing security headers, rate limiting, and input validation. Use it to produce a concise, prioritized remediation report tied to files and lines.

How this skill works

The audit scans source files and running routes to identify risky patterns (hardcoded secrets, unsafe DOM injection, string concatenation in queries, permissive CORS headers, etc.). It groups findings by severity (Critical, High, Medium, Low) and produces a report template listing file:line, description and recommended fixes. The skill also suggests concrete code changes and defensive defaults (env vars, header sets, rate limits, input size checks).

When to use it

  • Before initial production deployment of a Node.js HTTP server or web app
  • After code changes that touch auth, file serving, or input handling
  • During security reviews or pre-release QA cycles
  • When integrating third-party modules that handle requests or file I/O
  • When hardening an app in response to a vulnerability disclosure

Best practices

  • Fail fast on missing secrets: require critical env vars at startup instead of defaulting
  • Prefer parameterized queries and avoid dynamic query string concatenation
  • Sanitize or escape all user-controlled output; use textContent over innerHTML
  • Implement origin allowlists instead of Access-Control-Allow-Origin: *
  • Apply a consistent set of security headers on every response
  • Rate limit abusive endpoints and enforce body size and type checks

Example use cases

  • Run a pre-deploy audit to find hardcoded API keys and prevent leaks
  • Scan a file-serving route to detect path traversal or symlink bypass
  • Validate that health and webhook endpoints don't accidentally expose data or skip auth
  • Identify missing XSS protections in server-rendered templates
  • Verify that CORS configuration and security headers meet policy requirements

FAQ

Does the audit automatically fix issues?

No — it reports findings and suggests concrete fixes and code snippets, but you must apply changes and run tests.

How are findings prioritized?

Findings are grouped by severity: Critical (must fix before deploy), High (should fix), Medium (recommended), and Low (informational).