\nsecurityTests.addTest(‘XSS Protection Test’, async () => {
\n const xssPayloads = [
\n ‘alert(“XSS”)’,
\n ‘
\n ‘javascript:alert(“XSS”)’
\n ];<\/p>\n
Di era digital di mana cyber threats semakin sophisticated, web application security menjadi prioritas utama untuk developer dan bisnis. Data breaches dapat menyebabkan kerugian finansial yang signifikan, kehilangan kepercayaan customer, dan konsekuensi legal yang serius. Artikel ini akan memberikan comprehensive guide tentang web application security best practices di tahun 2025.<\/p>\n
Understanding Modern Cybersecurity Landscape<\/p>\n
1. Current Threat Landscape di 2025
\n\u2022 Ransomware Evolution: More sophisticated encryption methods dan targeted attacks
\n\u2022 AI-Powered Attacks: Machine learning untuk automated vulnerability scanning
\n\u2022 Supply Chain Attacks: Compromise melalui third-party dependencies
\n\u2022 API Security Threats: Increased API attack vectors dan data exposure
\n\u2022 Cloud Security Challenges: Multi-cloud environment complexities<\/p>\n
2. Indonesia Cybersecurity Context
\n\u2022 Regulatory Compliance: PDPA (Personal Data Protection Act) implementation
\n\u2022 Financial Sector: BI (Bank Indonesia) security regulations
\n\u2022 Government Sector: SINAP dan national cybersecurity frameworks
\n\u2022 Startup Ecosystem: Growing security awareness dalam tech community<\/p>\n
3. Attack Vectors Evolution
\n\u2022 Traditional Web Vulnerabilities: SQL injection, XSS, CSRF masih relevan
\n\u2022 Modern Attack Patterns: API abuse, business logic flaws, zero-day exploits
\n\u2022 Social Engineering: Phishing, vishing, dan social media attacks
\n\u2022 Infrastructure Attacks: DDoS, DNS attacks, network intrusion<\/p>\n
OWASP Top 10 2021 Updated Implementation<\/p>\n
1. A01: Broken Access Control
\n“`javascript
\n\/\/ Broken Access Control Examples dan Solutions<\/p>\n
\/\/ VULNERABLE: No authorization check
\napp.get(‘\/api\/users\/:id’, async (req, res) => {
\n const user = await User.findById(req.params.id);
\n res.json(user); \/\/ Any user can access any user data!
\n});<\/p>\n
\/\/ SECURE: Proper authorization check
\napp.get(‘\/api\/users\/:id’, async (req, res) => {
\n \/\/ Check if user has permission to access resource
\n if (req.user.id !== req.params.id && !req.user.isAdmin) {
\n return res.status(403).json({ error: ‘Access denied’ });
\n }<\/p>\n
const user = await User.findById(req.params.id);
\n if (!user) {
\n return res.status(404).json({ error: ‘User not found’ });
\n }<\/p>\n
res.json(user);
\n});<\/p>\n
\/\/ Role-based access control (RBAC) implementation
\nclass AuthorizationMiddleware {
\n constructor() {
\n this.roles = {
\n admin: [‘read’, ‘write’, ‘delete’, ‘manage_users’],
\n editor: [‘read’, ‘write’],
\n viewer: [‘read’]
\n };
\n }<\/p>\n
requirePermission(permission) {
\n return (req, res, next) => {
\n const userRole = req.user.role;
\n const userPermissions = this.roles[userRole] || [];<\/p>\n
if (!userPermissions.includes(permission)) {
\n return res.status(403).json({
\n error: ‘Insufficient permissions’,
\n required: permission,
\n current: userRole
\n });
\n }<\/p>\n
next();
\n };
\n }<\/p>\n
requireOwnership(resourceType) {
\n return async (req, res, next) => {
\n try {
\n const resourceId = req.params.id;
\n const userId = req.user.id;<\/p>\n
let resource;
\n switch (resourceType) {
\n case ‘post’:
\n resource = await Post.findById(resourceId);
\n break;
\n case ‘comment’:
\n resource = await Comment.findById(resourceId);
\n break;
\n default:
\n return res.status(400).json({ error: ‘Invalid resource type’ });
\n }<\/p>\n
if (!resource) {
\n return res.status(404).json({ error: ‘Resource not found’ });
\n }<\/p>\n
\/\/ Admin can access all resources
\n if (req.user.role === ‘admin’) {
\n req.resource = resource;
\n return next();
\n }<\/p>\n
\/\/ Check ownership
\n if (resource.author.toString() !== userId) {
\n return res.status(403).json({ error: ‘Access denied’ });
\n }<\/p>\n
req.resource = resource;
\n next();
\n } catch (error) {
\n res.status(500).json({ error: ‘Authorization check failed’ });
\n }
\n };
\n }
\n}<\/p>\n
\/\/ Usage
\nconst authz = new AuthorizationMiddleware();
\napp.get(‘\/api\/posts\/:id’, authenticateToken, authz.requireOwnership(‘post’), getPost);
\napp.delete(‘\/api\/posts\/:id’, authenticateToken, authz.requirePermission(‘delete’), authz.requireOwnership(‘post’), deletePost);
\n“`<\/p>\n
2. A02: Cryptographic Failures
\n“`javascript
\n\/\/ Secure Cryptographic Implementation<\/p>\n
import crypto from ‘crypto’;
\nimport bcrypt from ‘bcrypt’;
\nimport jsonwebtoken from ‘jsonwebtoken’;<\/p>\n
class SecurityService {
\n constructor() {
\n this.algorithm = ‘aes-256-gcm’;
\n this.keyLength = 32;
\n this.ivLength = 16;
\n this.tagLength = 16;
\n this.saltRounds = 12;
\n }<\/p>\n
\/\/ Generate secure random key
\n generateKey() {
\n return crypto.randomBytes(this.keyLength);
\n }<\/p>\n
\/\/ Encrypt sensitive data
\n encrypt(text, key) {
\n const iv = crypto.randomBytes(this.ivLength);
\n const cipher = crypto.createCipher(this.algorithm, key, iv);<\/p>\n
let encrypted = cipher.update(text, ‘utf8’, ‘hex’);
\n encrypted += cipher.final(‘hex’);<\/p>\n
const tag = cipher.getAuthTag();<\/p>\n
return {
\n iv: iv.toString(‘hex’),
\n encryptedData: encrypted,
\n tag: tag.toString(‘hex’)
\n };
\n }<\/p>\n
\/\/ Decrypt sensitive data
\n decrypt(encryptedData, key, iv, tag) {
\n const decipher = crypto.createDecipher(this.algorithm, key, Buffer.from(iv, ‘hex’));
\n decipher.setAuthTag(Buffer.from(tag, ‘hex’));<\/p>\n
let decrypted = decipher.update(encryptedData, ‘hex’, ‘utf8’);
\n decrypted += decipher.final(‘utf8′);<\/p>\n
return decrypted;
\n }<\/p>\n
\/\/ Secure password hashing
\n async hashPassword(password) {
\n const salt = await bcrypt.genSalt(this.saltRounds);
\n return bcrypt.hash(password, salt);
\n }<\/p>\n
\/\/ Verify password
\n async verifyPassword(password, hash) {
\n return bcrypt.compare(password, hash);
\n }<\/p>\n
\/\/ Generate JWT token with security best practices
\n generateToken(payload, expiresIn = ’15m’) {
\n const jwtPayload = {
\n sub: payload.userId,
\n email: payload.email,
\n role: payload.role,
\n iat: Math.floor(Date.now() \/ 1000),
\n \/\/ Add custom claims
\n permissions: payload.permissions || []
\n };<\/p>\n
const options = {
\n expiresIn,
\n issuer: process.env.JWT_ISSUER,
\n audience: process.env.JWT_AUDIENCE,
\n algorithm: ‘HS256’
\n };<\/p>\n
return jsonwebtoken.sign(jwtPayload, process.env.JWT_SECRET, options);
\n }<\/p>\n
\/\/ Verify JWT token
\n verifyToken(token) {
\n try {
\n const decoded = jsonwebtoken.verify(token, process.env.JWT_SECRET, {
\n issuer: process.env.JWT_ISSUER,
\n audience: process.env.JWT_AUDIENCE,
\n algorithms: [‘HS256’]
\n });<\/p>\n
\/\/ Check token expiration buffer (5 minutes)
\n const now = Math.floor(Date.now() \/ 1000);
\n if (decoded.exp – now < 300) {
\n \/\/ Token will expire soon, consider refresh
\n return { valid: true, decoded, needsRefresh: true };
\n }<\/p>\n
return { valid: true, decoded };
\n } catch (error) {
\n return { valid: false, error: error.message };
\n }
\n }<\/p>\n
\/\/ Generate secure random session ID
\n generateSessionId() {
\n return crypto.randomBytes(32).toString('hex');
\n }<\/p>\n
\/\/ Generate API key
\n generateApiKey() {
\n const prefix = 'ak_';
\n const key = crypto.randomBytes(32).toString('hex');
\n return prefix + key;
\n }
\n}<\/p>\n
\/\/ Secure password policy implementation
\nclass PasswordPolicy {
\n constructor() {
\n this.minLength = 12;
\n this.requireUppercase = true;
\n this.requireLowercase = true;
\n this.requireNumbers = true;
\n this.requireSpecialChars = true;
\n this.maxConsecutiveChars = 2;
\n this.forbiddenPatterns = ['password', '123456', 'qwerty'];
\n }<\/p>\n
validate(password) {
\n const errors = [];<\/p>\n
\/\/ Length check
\n if (password.length < this.minLength) {
\n errors.push(`Password must be at least ${this.minLength} characters long`);
\n }<\/p>\n
\/\/ Character requirements
\n if (this.requireUppercase && !\/[A-Z]\/.test(password)) {
\n errors.push('Password must contain at least one uppercase letter');
\n }<\/p>\n
if (this.requireLowercase && !\/[a-z]\/.test(password)) {
\n errors.push('Password must contain at least one lowercase letter');
\n }<\/p>\n
if (this.requireNumbers && !\/\\d\/.test(password)) {
\n errors.push('Password must contain at least one number');
\n }<\/p>\n
if (this.requireSpecialChars && !\/[!@#$%^&*(),.?":{}|]\/.test(password)) {
\n errors.push(‘Password must contain at least one special character’);
\n }<\/p>\n
\/\/ Consecutive characters check
\n if (this.hasConsecutiveChars(password)) {
\n errors.push(‘Password cannot contain consecutive characters’);
\n }<\/p>\n
\/\/ Forbidden patterns check
\n const lowerPassword = password.toLowerCase();
\n for (const pattern of this.forbiddenPatterns) {
\n if (lowerPassword.includes(pattern)) {
\n errors.push(`Password cannot contain common patterns like “${pattern}”`);
\n }
\n }<\/p>\n
return {
\n isValid: errors.length === 0,
\n errors
\n };
\n }<\/p>\n
hasConsecutiveChars(password) {
\n for (let i = 0; i < password.length – this.maxConsecutiveChars; i++) {
\n let isConsecutive = true;
\n for (let j = 1; j <= this.maxConsecutiveChars; j++) {
\n if (password.charCodeAt(i + j) !== password.charCodeAt(i) + j) {
\n isConsecutive = false;
\n break;
\n }
\n }
\n if (isConsecutive) return true;
\n }
\n return false;
\n }
\n}
\n“`<\/p>\n
3. A03: Injection
\n“`javascript
\n\/\/ SQL Injection Prevention<\/p>\n
import { Pool } from 'pg';
\nimport mongoose from 'mongoose';<\/p>\n
\/\/ Secure Database Query Implementation
\nclass DatabaseService {
\n constructor() {
\n this.pool = new Pool({
\n connectionString: process.env.DATABASE_URL,
\n ssl: process.env.NODE_ENV === 'production'
\n });
\n }<\/p>\n
\/\/ VULNERABLE: SQL Injection prone
\n async getUserUnsafe(email) {
\n const query = `SELECT * FROM users WHERE email = '${email}'`;
\n const result = await this.pool.query(query);
\n return result.rows[0];
\n }<\/p>\n
\/\/ SECURE: Parameterized queries
\n async getUser(email) {
\n const query = 'SELECT * FROM users WHERE email = $1';
\n const result = await this.pool.query(query, [email]);
\n return result.rows[0];
\n }<\/p>\n
\/\/ Secure ORM usage dengan Mongoose
\n async findUserByEmail(email) {
\n try {
\n const user = await User.findOne({ email: email.trim().toLowerCase() });
\n return user;
\n } catch (error) {
\n throw new Error('Database query failed');
\n }
\n }<\/p>\n
\/\/ Advanced query dengan input validation
\n async searchUsers(filters, pagination) {
\n \/\/ Validate inputs
\n const validatedFilters = this.validateFilters(filters);
\n const validatedPagination = this.validatePagination(pagination);<\/p>\n
\/\/ Build query dynamically but safely
\n const query = {};
\n const options = {
\n limit: validatedPagination.limit,
\n skip: validatedPagination.offset,
\n sort: validatedPagination.sort
\n };<\/p>\n
if (validatedFilters.name) {
\n query.name = { $regex: validatedFilters.name, $options: 'i' };
\n }<\/p>\n
if (validatedFilters.role) {
\n query.role = validatedFilters.role;
\n }<\/p>\n
if (validatedFilters.minAge) {
\n query.age = { $gte: parseInt(validatedFilters.minAge) };
\n }<\/p>\n
const users = await User.find(query, null, options);
\n return users;
\n }<\/p>\n
validateFilters(filters) {
\n const validated = {};
\n const allowedFields = ['name', 'role', 'minAge', 'maxAge'];<\/p>\n
for (const [key, value] of Object.entries(filters)) {
\n if (allowedFields.includes(key)) {
\n \/\/ Sanitize input
\n if (typeof value === 'string') {
\n validated[key] = value.trim().replace(\/[]\/g, ”);
\n } else if (typeof value === ‘number’) {
\n validated[key] = Math.max(0, value); \/\/ Ensure positive numbers
\n }
\n }
\n }<\/p>\n
return validated;
\n }<\/p>\n
validatePagination(pagination) {
\n const limit = Math.min(Math.max(1, parseInt(pagination.limit) || 10), 100);
\n const page = Math.max(1, parseInt(pagination.page) || 1);
\n const offset = (page – 1) * limit;<\/p>\n
const allowedSortFields = [‘name’, ‘createdAt’, ‘updatedAt’];
\n const sortField = allowedSortFields.includes(pagination.sortBy)
\n ? pagination.sortBy
\n : ‘createdAt’;<\/p>\n
const sortOrder = pagination.sortOrder === ‘desc’ ? -1 : 1;<\/p>\n
return {
\n limit,
\n offset,
\n sort: { [sortField]: sortOrder }
\n };
\n }
\n}<\/p>\n
\/\/ NoSQL Injection Prevention
\nclass NoSQLSecurity {
\n \/\/ VULNERABLE: Direct query injection
\n async findUsersUnsafe(filters) {
\n return User.find(JSON.parse(filters));
\n }<\/p>\n
\/\/ SECURE: Proper query building
\n async findUsers(filters) {
\n const query = {};<\/p>\n
\/\/ Validate each filter key
\n if (filters.email && this.isValidEmail(filters.email)) {
\n query.email = filters.email.toLowerCase().trim();
\n }<\/p>\n
if (filters.role && this.isValidRole(filters.role)) {
\n query.role = filters.role;
\n }<\/p>\n
if (filters.age) {
\n const age = parseInt(filters.age);
\n if (!isNaN(age) && age >= 0 && age {
\n const apiKey = req.headers[‘x-api-key’];<\/p>\n
if (!apiKey) {
\n return res.status(401).json({
\n error: ‘API key required’,
\n code: ‘MISSING_API_KEY’
\n });
\n }<\/p>\n
try {
\n const keyRecord = await APIKey.findOne({
\n key: apiKey,
\n isActive: true
\n }).populate(‘user’);<\/p>\n
if (!keyRecord) {
\n return res.status(401).json({
\n error: ‘Invalid API key’,
\n code: ‘INVALID_API_KEY’
\n });
\n }<\/p>\n
\/\/ Check rate limit for this API key
\n const rateLimitResult = this.checkAPIKeyRateLimit(keyRecord);
\n if (!rateLimitResult.allowed) {
\n return res.status(429).json({
\n error: ‘Rate limit exceeded’,
\n code: ‘RATE_LIMIT_EXCEEDED’,
\n resetTime: rateLimitResult.resetTime
\n });
\n }<\/p>\n
\/\/ Attach key info to request
\n req.apiKey = keyRecord;
\n req.user = keyRecord.user;<\/p>\n
next();
\n } catch (error) {
\n res.status(500).json({
\n error: ‘Authentication failed’,
\n code: ‘AUTH_ERROR’
\n });
\n }
\n };
\n }<\/p>\n
\/\/ JWT authentication
\n authenticateJWT() {
\n return (req, res, next) => {
\n const authHeader = req.headers.authorization;
\n const token = authHeader && authHeader.split(‘ ‘)[1];<\/p>\n
if (!token) {
\n return res.status(401).json({
\n error: ‘Access token required’,
\n code: ‘MISSING_TOKEN’
\n });
\n }<\/p>\n
const security = new SecurityService();
\n const result = security.verifyToken(token);<\/p>\n
if (!result.valid) {
\n return res.status(401).json({
\n error: ‘Invalid token’,
\n code: ‘INVALID_TOKEN’,
\n details: result.error
\n });
\n }<\/p>\n
req.user = result.decoded;
\n req.needsTokenRefresh = result.needsRefresh;<\/p>\n
next();
\n };
\n }<\/p>\n
\/\/ IP-based rate limiting
\n rateLimit(options = {}) {
\n const {
\n windowMs = 15 * 60 * 1000, \/\/ 15 minutes
\n max = 100, \/\/ requests per window
\n message = ‘Too many requests’
\n } = options;<\/p>\n
return (req, res, next) => {
\n const clientId = req.ip || req.connection.remoteAddress;
\n const now = Date.now();<\/p>\n
\/\/ Check if IP is blocked
\n if (this.blockedIPs.has(clientId)) {
\n return res.status(429).json({
\n error: ‘IP address blocked’,
\n code: ‘IP_BLOCKED’
\n });
\n }<\/p>\n
\/\/ Initialize or get client data
\n if (!this.rateLimiter.has(clientId)) {
\n this.rateLimiter.set(clientId, {
\n count: 0,
\n resetTime: now + windowMs,
\n firstRequest: now
\n });
\n }<\/p>\n
const clientData = this.rateLimiter.get(clientId);<\/p>\n
\/\/ Reset window if expired
\n if (now > clientData.resetTime) {
\n clientData.count = 0;
\n clientData.resetTime = now + windowMs;
\n }<\/p>\n
\/\/ Increment count
\n clientData.count++;<\/p>\n
\/\/ Check if limit exceeded
\n if (clientData.count > max) {
\n \/\/ Block IP if severely exceeded
\n if (clientData.count > max * 5) {
\n this.blockedIPs.add(clientId);
\n setTimeout(() => {
\n this.blockedIPs.delete(clientId);
\n }, windowMs * 2);
\n }<\/p>\n
return res.status(429).json({
\n error: message,
\n code: ‘RATE_LIMIT_EXCEEDED’,
\n limit: max,
\n remaining: 0,
\n resetTime: clientData.resetTime
\n });
\n }<\/p>\n
\/\/ Add rate limit headers
\n res.setHeader(‘X-RateLimit-Limit’, max);
\n res.setHeader(‘X-RateLimit-Remaining’, Math.max(0, max – clientData.count));
\n res.setHeader(‘X-RateLimit-Reset’, clientData.resetTime);<\/p>\n
next();
\n };
\n }<\/p>\n
\/\/ CORS configuration
\n configureCORS() {
\n return (req, res, next) => {
\n const allowedOrigins = process.env.ALLOWED_ORIGINS?.split(‘,’) || [‘http:\/\/localhost:3000’];
\n const origin = req.headers.origin;<\/p>\n
if (allowedOrigins.includes(origin)) {
\n res.setHeader(‘Access-Control-Allow-Origin’, origin);
\n }<\/p>\n
res.setHeader(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE, OPTIONS’);
\n res.setHeader(‘Access-Control-Allow-Headers’, ‘Content-Type, Authorization, X-API-Key’);
\n res.setHeader(‘Access-Control-Allow-Credentials’, ‘true’);
\n res.setHeader(‘Access-Control-Max-Age’, ‘86400’); \/\/ 24 hours<\/p>\n
if (req.method === ‘OPTIONS’) {
\n return res.status(204).end();
\n }<\/p>\n
next();
\n };
\n }<\/p>\n
\/\/ Request validation middleware
\n validateRequest(schema) {
\n return (req, res, next) => {
\n const { error } = schema.validate(req.body);<\/p>\n
if (error) {
\n return res.status(400).json({
\n error: ‘Validation failed’,
\n details: error.details.map(detail => ({
\n field: detail.path.join(‘.’),
\n message: detail.message
\n }))
\n });
\n }<\/p>\n
next();
\n };
\n }<\/p>\n
\/\/ API response security headers
\n setSecurityHeaders() {
\n return (req, res, next) => {
\n res.setHeader(‘X-Content-Type-Options’, ‘nosniff’);
\n res.setHeader(‘X-Frame-Options’, ‘DENY’);
\n res.setHeader(‘X-XSS-Protection’, ‘1; mode=block’);
\n res.setHeader(‘Referrer-Policy’, ‘strict-origin-when-cross-origin’);
\n res.setHeader(‘Permissions-Policy’, ‘camera=(), microphone=(), geolocation=()’);<\/p>\n
next();
\n };
\n }
\n}<\/p>\n
\/\/ Usage
\nconst apiSecurity = new APISecurity();<\/p>\n
app.use(apiSecurity.configureCORS());
\napp.use(apiSecurity.setSecurityHeaders());<\/p>\n
\/\/ Public endpoints with rate limiting
\napp.get(‘\/api\/public’, apiSecurity.rateLimit({ max: 10 }), (req, res) => {
\n res.json({ message: ‘Public endpoint’ });
\n});<\/p>\n
\/\/ Protected endpoints with authentication
\napp.get(‘\/api\/users’,
\n apiSecurity.authenticateJWT(),
\n apiSecurity.rateLimit({ max: 100 }),
\n (req, res) => {
\n res.json({ users: [] });
\n }
\n);<\/p>\n
\/\/ API endpoints with API key authentication
\napp.post(‘\/api\/webhook’,
\n apiSecurity.authenticateAPIKey(),
\n (req, res) => {
\n res.json({ received: true });
\n }
\n);
\n“`<\/p>\n
Security Monitoring dan Logging<\/p>\n
1. Security Event Monitoring
\n“`javascript
\n\/\/ Security Monitoring System<\/p>\n
class SecurityMonitor {
\n constructor() {
\n this.events = [];
\n this.alertThresholds = {
\n failedLogins: 5,
\n suspiciousActivity: 10,
\n dataAccess: 50
\n };
\n this.blockedIPs = new Set();
\n }<\/p>\n
\/\/ Log security events
\n logSecurityEvent(event) {
\n const securityEvent = {
\n timestamp: new Date().toISOString(),
\n type: event.type,
\n severity: event.severity || ‘medium’,
\n ip: event.ip,
\n userId: event.userId,
\n userAgent: event.userAgent,
\n details: event.details,
\n metadata: event.metadata || {}
\n };<\/p>\n
this.events.push(securityEvent);<\/p>\n
\/\/ Check for alerts
\n this.checkAlerts(securityEvent);<\/p>\n
\/\/ Store in persistent storage
\n this.persistEvent(securityEvent);<\/p>\n
console.log(`Security Event [${event.severity}]: ${event.type}`, securityEvent);
\n }<\/p>\n
\/\/ Failed login attempt
\n logFailedLogin(ip, email, userAgent) {
\n this.logSecurityEvent({
\n type: ‘FAILED_LOGIN’,
\n severity: ‘high’,
\n ip,
\n userId: email,
\n userAgent,
\n details: ‘Failed login attempt’
\n });
\n }<\/p>\n
\/\/ Successful login
\n logSuccessfulLogin(userId, ip, userAgent) {
\n this.logSecurityEvent({
\n type: ‘SUCCESSFUL_LOGIN’,
\n severity: ‘info’,
\n ip,
\n userId,
\n userAgent,
\n details: ‘User logged in successfully’
\n });
\n }<\/p>\n
\/\/ Suspicious activity detection
\n logSuspiciousActivity(ip, userId, activity) {
\n this.logSecurityEvent({
\n type: ‘SUSPICIOUS_ACTIVITY’,
\n severity: ‘high’,
\n ip,
\n userId,
\n details: activity
\n });
\n }<\/p>\n
\/\/ Data access logging
\n logDataAccess(userId, resource, action, ip) {
\n this.logSecurityEvent({
\n type: ‘DATA_ACCESS’,
\n severity: ‘medium’,
\n ip,
\n userId,
\n details: `${action} on ${resource}`,
\n metadata: { resource, action }
\n });
\n }<\/p>\n
\/\/ Check for security alerts
\n checkAlerts(event) {
\n const recentEvents = this.getRecentEvents(15 * 60 * 1000); \/\/ Last 15 minutes<\/p>\n
\/\/ Check for multiple failed logins
\n const failedLogins = recentEvents.filter(e =>
\n e.type === ‘FAILED_LOGIN’ && e.ip === event.ip
\n );<\/p>\n
if (failedLogins.length >= this.alertThresholds.failedLogins) {
\n this.triggerAlert({
\n type: ‘BRUTE_FORCE_DETECTED’,
\n severity: ‘critical’,
\n ip: event.ip,
\n details: `${failedLogins.length} failed login attempts detected`
\n });<\/p>\n
\/\/ Block IP temporarily
\n this.blockIP(event.ip, 60 * 60 * 1000); \/\/ 1 hour
\n }<\/p>\n
\/\/ Check for suspicious activity patterns
\n const suspiciousActivity = recentEvents.filter(e =>
\n e.type === ‘SUSPICIOUS_ACTIVITY’ && e.ip === event.ip
\n );<\/p>\n
if (suspiciousActivity.length >= this.alertThresholds.suspiciousActivity) {
\n this.triggerAlert({
\n type: ‘SUSPICIOUS_PATTERN_DETECTED’,
\n severity: ‘critical’,
\n ip: event.ip,
\n details: `${suspiciousActivity.length} suspicious activities detected`
\n });
\n }<\/p>\n
\/\/ Check for unusual data access
\n const dataAccess = recentEvents.filter(e =>
\n e.type === ‘DATA_ACCESS’ && e.userId === event.userId
\n );<\/p>\n
if (dataAccess.length >= this.alertThresholds.dataAccess) {
\n this.triggerAlert({
\n type: ‘UNUSUAL_DATA_ACCESS’,
\n severity: ‘high’,
\n userId: event.userId,
\n details: `${dataAccess.length} data access operations detected`
\n });
\n }
\n }<\/p>\n
\/\/ Trigger security alert
\n async triggerAlert(alert) {
\n console.error(‘SECURITY ALERT:’, alert);<\/p>\n
\/\/ Send notification
\n await this.sendNotification(alert);<\/p>\n
\/\/ Store alert
\n await this.persistAlert(alert);
\n }<\/p>\n
\/\/ Send notification (email, Slack, etc.)
\n async sendNotification(alert) {
\n \/\/ Implementation depends on notification service
\n const notification = {
\n title: `Security Alert: ${alert.type}`,
\n message: alert.details,
\n severity: alert.severity,
\n timestamp: new Date().toISOString()
\n };<\/p>\n
\/\/ Send to security team
\n if (alert.severity === ‘critical’) {
\n \/\/ Immediate notification for critical alerts
\n await this.sendCriticalNotification(notification);
\n }
\n }<\/p>\n
\/\/ Block IP temporarily
\n blockIP(ip, duration) {
\n this.blockedIPs.add(ip);<\/p>\n
setTimeout(() => {
\n this.blockedIPs.delete(ip);
\n }, duration);<\/p>\n
this.logSecurityEvent({
\n type: ‘IP_BLOCKED’,
\n severity: ‘high’,
\n ip,
\n details: `IP blocked for ${duration}ms`
\n });
\n }<\/p>\n
\/\/ Get recent events
\n getRecentEvents(timeWindow) {
\n const now = Date.now();
\n return this.events.filter(event =>
\n new Date(event.timestamp).getTime() > (now – timeWindow)
\n );
\n }<\/p>\n
\/\/ Persist event to database
\n async persistEvent(event) {
\n try {
\n \/\/ Store in database for long-term analysis
\n await SecurityEvent.create(event);
\n } catch (error) {
\n console.error(‘Failed to persist security event:’, error);
\n }
\n }<\/p>\n
\/\/ Persist alert to database
\n async persistAlert(alert) {
\n try {
\n await SecurityAlert.create({
\n …alert,
\n timestamp: new Date(),
\n status: ‘active’
\n });
\n } catch (error) {
\n console.error(‘Failed to persist security alert:’, error);
\n }
\n }
\n}<\/p>\n
\/\/ Security monitoring middleware
\nclass SecurityMiddleware {
\n constructor(securityMonitor) {
\n this.monitor = securityMonitor;
\n }<\/p>\n
\/\/ Monitor login attempts
\n monitorLogin() {
\n return (req, res, next) => {
\n const originalSend = res.send;<\/p>\n
res.send = function(data) {
\n \/\/ Log failed login attempts
\n if (res.statusCode === 401 || res.statusCode === 403) {
\n this.monitor.logFailedLogin(
\n req.ip,
\n req.body.email,
\n req.get(‘User-Agent’)
\n );
\n }<\/p>\n
\/\/ Log successful login
\n if (res.statusCode === 200 && req.path === ‘\/api\/login’) {
\n this.monitor.logSuccessfulLogin(
\n req.user?.id,
\n req.ip,
\n req.get(‘User-Agent’)
\n );
\n }<\/p>\n
originalSend.call(this, data);
\n }.bind(this);<\/p>\n
next();
\n };
\n }<\/p>\n
\/\/ Monitor API access
\n monitorAPIAccess() {
\n return (req, res, next) => {
\n const originalSend = res.send;<\/p>\n
res.send = function(data) {
\n \/\/ Log data access
\n if (req.user && req.method !== ‘GET’) {
\n this.monitor.logDataAccess(
\n req.user.id,
\n req.path,
\n req.method,
\n req.ip
\n );
\n }<\/p>\n
originalSend.call(this, data);
\n }.bind(this);<\/p>\n
next();
\n };
\n }<\/p>\n
\/\/ Detect suspicious patterns
\n detectSuspiciousActivity() {
\n return (req, res, next) => {
\n const suspiciousPatterns = [
\n \/\\.\\.\/, \/\/ Directory traversal
\n \/ r.passed).length;
\n const total = results.length;
\n const critical = results.filter(r =>
\n !r.passed && r.details?.severity === ‘critical’
\n ).length;<\/p>\n
return {
\n summary: {
\n passed,
\n failed: total – passed,
\n total,
\n passRate: (passed \/ total) * 100,
\n criticalIssues: critical
\n },
\n results
\n };
\n }
\n}<\/p>\n
\/\/ Common security tests
\nconst securityTests = new SecurityTestSuite();<\/p>\n
\/\/ Test for SQL injection vulnerabilities
\nsecurityTests.addTest(‘SQL Injection Test’, async () => {
\n const maliciousInputs = [
\n “‘ OR ‘1’=’1”,
\n “‘; DROP TABLE users; –“,
\n “‘ UNION SELECT * FROM users –”
\n ];<\/p>\n
for (const input of maliciousInputs) {
\n try {
\n const response = await fetch(‘\/api\/users’, {
\n method: ‘POST’,
\n headers: { ‘Content-Type’: ‘application\/json’ },
\n body: JSON.stringify({ email: input, password: ‘test’ })
\n });<\/p>\n
if (response.status === 200) {
\n return {
\n passed: false,
\n message: ‘Potential SQL injection vulnerability detected’,
\n details: { severity: ‘critical’, input }
\n };
\n }
\n } catch (error) {
\n \/\/ Network errors are expected for malformed requests
\n }
\n }<\/p>\n
return { passed: true, message: ‘No SQL injection vulnerabilities detected’ };
\n}, ‘injection’);<\/p>\n
\/\/ Test for XSS vulnerabilities
\nsecurityTests.addTest(‘XSS Protection Test’, async () => {
\n const xssPayloads = [
\n ‘alert(“XSS”)’,
\n ‘‘,
\n ‘javascript:alert(“XSS”)’
\n ];<\/p>\n
for (const payload of xssPayloads) {
\n try {
\n const response = await fetch(‘\/api\/comments’, {
\n method: ‘POST’,
\n headers: { ‘Content-Type’: ‘application\/json’ },
\n body: JSON.stringify({ content: payload })
\n });<\/p>\n
if (response.status === 200) {
\n const data = await response.json();<\/p>\n
\/\/ Check if XSS payload was not sanitized
\n if (data.content && data.content.includes(”)) {
\n return {
\n passed: false,
\n message: ‘XSS vulnerability detected’,
\n details: { severity: ‘high’, payload }
\n };
\n }
\n }
\n } catch (error) {
\n \/\/ Network errors are expected
\n }
\n }<\/p>\n
return { passed: true, message: ‘No XSS vulnerabilities detected’ };
\n}, ‘xss’);<\/p>\n
\/\/ Test for authentication bypass
\nsecurityTests.addTest(‘Authentication Bypass Test’, async () => {
\n try {
\n \/\/ Try to access protected endpoint without token
\n const response = await fetch(‘\/api\/users\/profile’, {
\n headers: { ‘Content-Type’: ‘application\/json’ }
\n });<\/p>\n
if (response.status === 200) {
\n return {
\n passed: false,
\n message: ‘Authentication bypass vulnerability detected’,
\n details: { severity: ‘critical’ }
\n };
\n }<\/p>\n
\/\/ Try with invalid token
\n const invalidResponse = await fetch(‘\/api\/users\/profile’, {
\n headers: {
\n ‘Content-Type’: ‘application\/json’,
\n ‘Authorization’: ‘Bearer invalid.token.here’
\n }
\n });<\/p>\n
if (invalidResponse.status === 200) {
\n return {
\n passed: false,
\n message: ‘Invalid token accepted’,
\n details: { severity: ‘critical’ }
\n };
\n }<\/p>\n
return { passed: true, message: ‘Authentication is properly secured’ };
\n } catch (error) {
\n return {
\n passed: false,
\n message: ‘Authentication test failed’,
\n details: { error: error.message }
\n };
\n }
\n}, ‘auth’);<\/p>\n
\/\/ Test for rate limiting
\nsecurityTests.addTest(‘Rate Limiting Test’, async () => {
\n const requests = [];<\/p>\n
\/\/ Send multiple requests quickly
\n for (let i = 0; i r.status === 200).length;<\/p>\n
if (successCount >= 15) {
\n return {
\n passed: false,
\n message: ‘Rate limiting not working or too permissive’,
\n details: { severity: ‘medium’, successCount }
\n };
\n }<\/p>\n
return { passed: true, message: ‘Rate limiting is working properly’ };
\n}, ‘infrastructure’);<\/p>\n
\/\/ Test for HTTPS enforcement
\nsecurityTests.addTest(‘HTTPS Enforcement Test’, async () => {
\n if (process.env.NODE_ENV === ‘production’) {
\n try {
\n \/\/ Try HTTP request (should fail or redirect)
\n const response = await fetch(`http:\/\/${process.env.DOMAIN}\/api\/health`);<\/p>\n
if (response.status === 200 || response.url.startsWith(‘https:\/\/’)) {
\n return { passed: true, message: ‘HTTPS properly enforced’ };
\n } else {
\n return {
\n passed: false,
\n message: ‘HTTPS not properly enforced’,
\n details: { severity: ‘high’ }
\n };
\n }
\n } catch (error) {
\n \/\/ Expected if HTTP is not available
\n return { passed: true, message: ‘HTTPS properly configured’ };
\n }
\n } else {
\n return { passed: true, message: ‘HTTPS test skipped in development’ };
\n }
\n}, ‘infrastructure’);<\/p>\n
\/\/ Run security tests in CI\/CD
\nasync function runSecurityTests() {
\n console.log(‘Running security tests…’);<\/p>\n
const results = await securityTests.runTests();
\n const report = securityTests.generateReport(results);<\/p>\n
console.log(‘Security Test Results:’, report.summary);<\/p>\n
\/\/ Fail build if critical issues found
\n if (report.summary.criticalIssues > 0) {
\n console.error(‘Critical security issues detected!’);
\n process.exit(1);
\n }<\/p>\n
return report;
\n}<\/p>\n
\/\/ Export untuk use in CI\/CD
\nmodule.exports = { runSecurityTests, securityTests };
\n“`<\/p>\n
Compliance dan Regulatory Requirements<\/p>\n
1. Data Protection Compliance
\n“`javascript
\n\/\/ Personal Data Protection Act (PDPA) Compliance<\/p>\n
class PDPACompliance {
\n constructor() {
\n this.sensitiveDataTypes = [
\n ‘nik’, \/\/ National ID
\n ‘passport’,
\n ‘bankAccount’,
\n ‘creditCard’,
\n ‘medical’,
\n ‘biometric’
\n ];
\n }<\/p>\n
\/\/ Consent management
\n async recordConsent(userId, consentType, consentData) {
\n const consent = {
\n userId,
\n type: consentType,
\n granted: consentData.granted,
\n purpose: consentData.purpose,
\n timestamp: new Date(),
\n ipAddress: consentData.ipAddress,
\n userAgent: consentData.userAgent,
\n documentVersion: consentData.documentVersion
\n };<\/p>\n
await Consent.create(consent);
\n return consent;
\n }<\/p>\n
\/\/ Data anonymization
\n anonymizePersonalData(data, fieldsToAnonymize) {
\n const anonymized = { …data };<\/p>\n
fieldsToAnonymize.forEach(field => {
\n if (anonymized[field]) {
\n anonymized[field] = this.anonymizeValue(anonymized[field]);
\n }
\n });<\/p>\n
return anonymized;
\n }<\/p>\n
anonymizeValue(value) {
\n if (typeof value !== ‘string’) return value;<\/p>\n
\/\/ Keep first 2 dan last 2 characters
\n if (value.length <= 4) {
\n return '*'.repeat(value.length);
\n }<\/p>\n
const start = value.substring(0, 2);
\n const end = value.substring(value.length – 2);
\n const middle = '*'.repeat(value.length – 4);<\/p>\n
return start + middle + end;
\n }<\/p>\n
\/\/ Data retention management
\n async applyRetentionPolicy() {
\n const retentionPeriods = {
\n 'userActivity': 365, \/\/ 1 year
\n 'transaction': 2555, \/\/ 7 years
\n 'consent': 2555, \/\/ 7 years
\n 'auditLog': 2555 \/\/ 7 years
\n };<\/p>\n
for (const [dataType, days] of Object.entries(retentionPeriods)) {
\n const cutoffDate = new Date();
\n cutoffDate.setDate(cutoffDate.getDate() – days);<\/p>\n
await this.deleteExpiredData(dataType, cutoffDate);
\n }
\n }<\/p>\n
async deleteExpiredData(dataType, cutoffDate) {
\n switch (dataType) {
\n case 'userActivity':
\n await UserActivity.deleteMany({
\n timestamp: { $lt: cutoffDate }
\n });
\n break;
\n case 'transaction':
\n await Transaction.deleteMany({
\n createdAt: { $lt: cutoffDate }
\n });
\n break;
\n \/\/ Implement other data types
\n }
\n }<\/p>\n
\/\/ Data access logging
\n async logDataAccess(userId, dataType, action, purpose) {
\n const logEntry = {
\n userId,
\n dataType,
\n action, \/\/ 'read', 'write', 'delete'
\n purpose,
\n timestamp: new Date(),
\n ipAddress: this.getCurrentIP(),
\n userAgent: this.getCurrentUserAgent()
\n };<\/p>\n
await DataAccessLog.create(logEntry);
\n }<\/p>\n
\/\/ Data breach notification
\n async handleDataBreach(breachData) {
\n \/\/ Log breach
\n await SecurityBreach.create({
\n …breachData,
\n reportedAt: new Date(),
\n status: 'investigating'
\n });<\/p>\n
\/\/ Notify affected users
\n const affectedUsers = await this.identifyAffectedUsers(breachData);
\n await this.notifyAffectedUsers(affectedUsers, breachData);<\/p>\n
\/\/ Notify authorities if required
\n if (breachData.severity === 'high') {
\n await this.notifyAuthorities(breachData);
\n }
\n }<\/p>\n
async identifyAffectedUsers(breachData) {
\n \/\/ Logic to identify users whose data was compromised
\n return User.find({
\n $or: [
\n { email: { $in: breachData.compromisedEmails } },
\n { phone: { $in: breachData.compromisedPhones } }
\n ]
\n });
\n }<\/p>\n
async notifyAffectedUsers(users, breachData) {
\n for (const user of users) {
\n await EmailService.sendDataBreachNotification(user.email, {
\n breachType: breachData.type,
\n compromisedData: breachData.compromisedDataTypes,
\n recommendedActions: [
\n 'Change password immediately',
\n 'Monitor account activity',
\n 'Report suspicious activity'
\n ]
\n });
\n }
\n }
\n}<\/p>\n
\/\/ Data Classification dan Handling
\nclass DataClassification {
\n constructor() {
\n this.classifications = {
\n 'public': { impact: 'none', encryption: false, accessLevel: 'all' },
\n 'internal': { impact: 'low', encryption: false, accessLevel: 'employee' },
\n 'confidential': { impact: 'medium', encryption: true, accessLevel: 'authorized' },
\n 'restricted': { impact: 'high', encryption: true, accessLevel: 'need-to-know' }
\n };
\n }<\/p>\n
classifyData(dataType, content) {
\n \/\/ Auto-classification logic
\n const patterns = {
\n 'nik': \/\\b\\d{16}\\b\/,
\n 'email': \/\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b\/,
\n 'phone': \/\\b\\d{10,13}\\b\/,
\n 'creditCard': \/\\b\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}\\b\/
\n };<\/p>\n
for (const [type, pattern] of Object.entries(patterns)) {
\n if (pattern.test(content)) {
\n if (['nik', 'creditCard'].includes(type)) {
\n return 'restricted';
\n }
\n return 'confidential';
\n }
\n }<\/p>\n
\/\/ Default classification
\n return 'internal';
\n }<\/p>\n
applyProtection(data, classification) {
\n const rules = this.classifications[classification];<\/p>\n
if (!rules) {
\n throw new Error(`Unknown classification: ${classification}`);
\n }<\/p>\n
return {
\n …data,
\n classification,
\n accessLevel: rules.accessLevel,
\n encrypted: rules.encryption,
\n lastAccessed: new Date()
\n };
\n }
\n}
\n“`<\/p>\n
Kesimpulan<\/p>\n
Web application security adalah ongoing process yang membutuhkan continuous attention dan improvement. Dengan implementasi comprehensive security measures dari development phase hingga production monitoring, kita dapat protect applications dari modern cyber threats.<\/p>\n
Key security priorities untuk 2025:
\n\u2022 Zero Trust Architecture: Never trust, always verify
\n\u2022 AI-Powered Security: Leverage machine learning untuk threat detection
\n\u2022 DevSecOps Integration: Security embedded dalam development lifecycle
\n\u2022 Compliance Management: Adherence to evolving regulations
\n\u2022 User Education: Security awareness training untuk semua stakeholders<\/p>\n
Investasi dalam security bukan optional melainkan necessity di digital age. Cost prevention jauh lebih rendah dari cost recovery setelah security breach terjadi.<\/p>\n
Remember: Security is everyone's responsibility. Build security culture dalam organization, stay updated dengan latest threats, dan continuously improve security practices.<\/p>\n","protected":false},"excerpt":{"rendered":"
Di era digital di mana cyber threats semakin sophisticated, web application security menjadi prioritas utama untuk developer dan bisnis. Data breaches dapat menyebabkan kerugian finansial yang signifikan, kehilangan kepercayaan customer, dan konsekuensi legal yang serius. Artikel ini akan memberikan comprehensive guide tentang web application security best practices di tahun 2025. Understanding Modern Cybersecurity Landscape 1. […]<\/p>\n","protected":false},"author":6,"featured_media":4421,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"yoast_head":"\n