Implementation of web application security on node.js: main threats and security methods

Authors

DOI:

https://doi.org/10.17721/ISTS.2025.9.61-73

Keywords:

Node.js, web application security, SQL injections, access control, rate limiting, input filtering, multi-level protection, data confidentiality, software vulnerability, cybersecurity

Abstract

Background. The intensive development of web technologies and the growing popularity of web applications developed on the Node.js platform open new opportunities for digital business while simultaneously increasing cyber threat risks. One of the key problems of modern cybersecurity is protecting such systems from unauthorized access, data integrity violations, and ensuring their stable operation. In the context of increasing attacks on web resources, security measures that can be integrated without significant performance degradation become particularly relevant. The application of multi-level mechanisms, including access control, input validation, and database query parameterization, forms the foundation of the modern approach to secure development.
Methods. This work conducted a systematic analysis of modern methods for ensuring web application security, particularly in the Node.js context. Methods of theoretical modeling, comparative analysis, practical testing of security systems, and effectiveness analysis of various strategies were used. Special attention was paid to the integration of protection mechanisms such as rate limiting, parameterized SQL query processing, user input filtering, and application of the principle of least privilege. For each method, the level of performance load, attack detection accuracy, and compatibility with Node.js architecture were evaluated.
Results. The analysis showed that the most effective approach to web application protection is combining several complementary strategies. For example, using parameterized queries significantly reduces the risk of SQL injections, while access control to critical resources prevents unauthorized data modification. It was proven that combining rate limiting and input filtering significantly increases application resistance to brute force and script injection attacks. At the same time, such measures do not create substantial system load, allowing their implementation in real-world conditions. Optimal configurations of protective mechanisms were determined depending on the threat level and functional requirements of the web application.
Conclusions. Protecting web applications built on Node.js requires a systematic and comprehensive approach. Combining several protection methods allows achieving a high level of security without reducing application efficiency. The research results can be used to build integrated systems for detecting and preventing cyber threats, taking into account the architectural features of Node.js. Beyond technical aspects, the importance of implementing security policies that encompass both technological and organizational protection components is emphasized. Systematic implementation of such approaches will ensure application resilience even under conditions of increasing cyber threat complexity.

Downloads

Download data is not yet available.

References

Brown, T., & White, K. (2022). The human factor in web application security: Training and auditing requirements. International Journal of Cyber Education, 8(3), 101–118.

Chan, E., & Gupta, M. (2021). Compatibility of combined security solutions: WAF, CDN, and static analysis. In Proceedings of the IEEE Symposium on Security and Privacy (pp. 210–224). IEEE.

Edgescan. (2024). 2023 vulnerability statistics report. https://www.edgescan.com/wp-content/uploads/2024/03/2023-Vulnerability-Statistics-Report.pdf

García, F., & Müller, J. (2022). Empirical analysis of false-positive rates in web application firewalls. ACM Transactions on Privacy and Security, 25(3), Article 11, 1–25.

Halfond, W. G., Viegas, J., & Orso, A. (2006). A classification of SQL-injection attacks and countermeasures. In Proceedings of the International Symposium on Secure Software Engineering (pp. 1045–1051). IEEE.

IBM. (n.d.). X-Force threat intelligence index. https://www.ibm.com/reports/threat-intelligence

Intigriti. (2024). The cyber threat landscape part 4: Emerging technologies and their security implications. https://www.intigriti.com/blog/business-insights/the-cyber-threat-landscape-part-4-emerging-technologies/-and-their-security-implic

Ishaq, K., & Fareed, S. (2023). Mitigation techniques for cyber attacks: A systematic mapping study. arXiv. https://www.researchgate.net/publication/373450471

Jabeen, F., Li, X., & Kim, S. (2025). Cybersecurity threats in FinTech: A systematic review. ScienceDirect. https://www.sciencedirect.com/science/article/abs/pii/S0957417423031998

Martinez, P. J. (2022). Code complexity and integration effort for security middleware in Node.js. International Journal of Software Engineering and Security, 10(1), 45–62.

OWASP. (n.d.). Testing for SQL injection. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security/_Testing/07-Input_Validation_Testing/02-Testing_for_SQL_Injection

OWASP Cheat Sheet Series. (n.d.). SQL injection prevention cheat sheet. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_/Prevention_Cheat_Sheet.html

OWASP Foundation. (2025). OWASP Top 10. OWASP. https://owasp.org/www-project-top-ten/

OWASP Foundation. (2023). OWASP Top Ten Project: Coverage analysis report. https://owasp.org

Patel, R., Kumar, S., & Gupta, A. (2023). Maintenance overhead of web security frameworks: An empirical study. Software Quality Journal, 31(4), 1203–1220.

Security vulnerabilities and protective strategies for graphical passwords. (2023). Electronics, 13(15), 3042. https://www.mdpi.com/2079-9292/13/15/3042

Snyk. (2024). 2024 open source security report: Slowing progress and new challenges. https://snyk.io/blog/2024-open-source-security-report-/slowing-progress-and-new-challenges-for/

Snyk. (2025). Preventing SQL injection attacks in Node.js. https://snyk.io/blog/preventing-sql-injection-attacks-node-js/

Wang, X., & Lee, Y. (2022). Performance overhead of parameterized queries in high-load web applications. Journal of Web Security Studies, 14(2), 75–89.

Zhang, L., Chen, Y., Wang, R., & Liu, X. (2023). Security vulnerabilities and protective strategies for graphical passwords. Electronics, 13(15), 3042. https://www.mdpi.com/2079-9292/13/15/3042

Zhang, Y., & Lee, M. (2025). Modern hardware security: A review of attacks and countermeasures. arXiv. https://arxiv.org/abs/2501.04394

Downloads

Published

2025-08-29

Issue

Vol. 1 No. 9 (2025): Information systems and technologies security

Section

Cybersecurity and information protection

License

Copyright (c) 2025 Information systems and technologies security

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Implementation of web application security on node.js: main threats and security methods. (2025). Information Systems and Technologies Security, 1(9), 61-73. https://doi.org/10.17721/ISTS.2025.9.61-73