In our opinion, we should avoid using eval function in any code. And we have good reasons to support our claim. Number one, attackers can easily inject malicious code into eval and number two, it has slow performance. There are some other similar functions you might want to avoid, such as new Function constructor, setTimeout and setInterval. New function constructor takes one or more string arguments for parameter names and code to run. And just like eval, it allows people to run code from a string, which means people can run anything with strings. We’ve reduced lots of risks for cross-site scripting attacks when we eliminate these constructs. Because they cannot malicious content via these constructs.
Prevent Brute-Force Attacks Against Authorization
Rate limiting sites or apps login routes can provide us with additional security. It will limit attackers failed login attempts in a period of time. So, they won’t be able to make enough guesses to successfully To do this, we can check the IP address or the ID or name of the computer that’s trying to log in.
Use express-brute to add brute force protection to an app. Then when an attack hits the route too often, then the attacker will get a 429 response indicating the route has been hit too many times from the same origin.
Avoid Module Loading Using a Variable
Ideally, variables should not be used to load a module. Because it will loosen our apps security by giving chances for attackers to inject malicious code our app and run it. The same principle also applies to any process that require accessing files like reading files. Eslint-plugin-security can detect this and stop you from committing such changes.
Prevent RegExp From Overloading Single Thread Execution