Software Integrity


The pursuit of hapi-ness: 5 must-have hapi security plugins

hapi is best known for being a scalable, community-centric framework, but it’s clear that security is also a priority for the team behind it. hapi makes it easy for developers to validate configurations quickly and without having to perform (many) workarounds, making for a clean, secure code base. hapi relies on community-approved plugins to help keep your applications secure, especially when it comes to session-storage and authentication.

A guide to hapi authentication plugins

Earlier this year we wrote a post about hapi plugins that highlighted a few potential pitfalls with popular hapi authentication plugins. In case you missed it, here’s a condensed recap:

  1. Hapi-server-session
    • What it does: Stores sessions on the server side, but doesn’t integrate with authentication strategies (note: not an official community plugin)
    • Best bet: Add session invalidation functionality and integration with authentication strategies
  2. Hapi-auth-cookie
    • What it does: Offers cookie-based session management where the user might be authenticated through a secondary measure, but requires a custom solution to store the server-side session storage.
    • Best bet: Add setter and getter methods for storing session data in the server cache (which allows the site to revoke sessions) or, for a more scalable approach, consider a more complex but application-specific session management solution like OAuth 2.0
  3. Yar
    • What it does: Store sessions on the server side, but isn’t meant as an authentication plugin since it can’t integrate with authentication strategies and automatically creates cookies for unauthorized requests
    • Best bet: Use it as a session management tool to manage forms across multiple web pages for logged out users

hapi plugins you can’t live without

We realized that we focused a bit too much on how to avoid security issues when using hapi plugins, and not enough on some of the plugins that get security right. With that in mind, we drew up a list of plugins we like at Synopsys that you should consider using in your hapi application. Here are the 5 plugins you won’t want to live without:

  1. Crumb: Anti cross-site-request-forgery (XCSRF) token generation and validation plugin. It works both with regular requests and CORS requests (OWASP recommends using CSRF protection, such as Crumb, along with CORS). Synopsys recommends using Crumb v3.0.0 or newer since a CSRF token leakage issue has been fixed when using Crumb with CORS enabled and the request origin does not match those specified in the CORS configuration.
  2. Joi: Object schema description language and validator for JavaScript objects. Joi allows developers to define a schema for an object and then evaluate the object against that schema thus performing input validation for the object. Everything is defined and evaluated on the server-side so that the attacker cannot easily bypass this protection.
  3. hapi-rbac: Allows developers to easily implement role-based access controls. Broad enough to grant or deny access to entire groups; granular enough to grant or deny access to individual users.
  4. Blankie: Allows developers to easily set the Content-Security-Policy header directives. The CSP is flexible enough that it may be implemented on a per route basis or across all routes.
  5. Cryptiles: Provides general purpose cryptographic utilities for random number generation, encryption, hashing and fixed-time comparisons of hashes that are based on the NodeJS crypto library.

hapi is an excellent fit for developers who are trying to build stronger, more secure applications. There is also the added benefit of the hapi ecosystem producing high-quality plugins that are well maintained. While there is no magic security wand to wave over your code, hapi helps developers to be proactive and put security as a priority when developing applications.