How to Secure TypeScript Applications...??
#typescript#javascript#webdev#programming
Shafayet Hossain Yashfi

Shafayet Hossain Yashfi @shafayeat

About: What a boring planet we are living in...No vampires, no nuclear wars, no alien attacks, no dragons...also don't even have a girlfriend!! I'll rate it only 2 star for good graphics.

Location:
Dhaka,Bangladesh
Joined:
May 31, 2024

How to Secure TypeScript Applications...??

Publish Date: Jan 1
110 11

In an era where application security is paramount, developing secure applications is not merely an option, it's a necessity. TypeScript, with its robust type system and ability to catch errors during development, inherently aids in writing safer code. However, security goes beyond syntax and types. This article explores advanced strategies for securing TypeScript applications, addressing everything from code vulnerabilities to runtime safeguards and deployment practices.

1. Understanding Security in the Context of TypeScript

TypeScript adds static typing to JavaScript, reducing common errors. But security encompasses:

  • Preventing unauthorized access.
  • Ensuring data integrity.
  • Protecting against malicious code injections.
  • Securing runtime behavior.

Key focus areas include:

  • Compile-Time Safety: Catch errors before runtime.
  • Runtime Safeguards: TypeScript compiles to JavaScript, so runtime security measures are crucial.

2. Secure Code Practices

a. Strict Compiler Options

Enable strict mode in tsconfig.json:

{
  "compilerOptions": {
    "strict": true,
    "noImplicitAny": true,
    "strictNullChecks": true,
    "strictPropertyInitialization": true
  }
}
Enter fullscreen mode Exit fullscreen mode
  • Why? These options enforce stricter checks, preventing undefined behaviors.

b. Avoid Any

Overusing any bypasses TypeScript's type system:

let userData: any = fetchUser(); // Avoid this.
Enter fullscreen mode Exit fullscreen mode

Instead:

type User = { id: number; name: string; };
let userData: User = fetchUser();
Enter fullscreen mode Exit fullscreen mode

3. Input Validation

Even with TypeScript, validate inputs explicitly:

function validateUserInput(input: string): boolean {
  const regex = /^[a-zA-Z0-9]+$/;
  return regex.test(input);
}
Enter fullscreen mode Exit fullscreen mode
  • Why? Protects against SQL injection and XSS attacks.

c. Runtime Type Checking

Use libraries like io-ts for runtime validation:

import * as t from "io-ts";

const User = t.type({
  id: t.number,
  name: t.string,
});

const input = JSON.parse(request.body);

if (User.is(input)) {
  // Safe to use
}
Enter fullscreen mode Exit fullscreen mode

4. Preventing Common Vulnerabilities

a. Cross-Site Scripting (XSS)

TypeScript does not sanitize data. Use encoding libraries like DOMPurify for safe rendering:

import DOMPurify from "dompurify";

const sanitized = DOMPurify.sanitize(unsafeHTML);
document.body.innerHTML = sanitized;
Enter fullscreen mode Exit fullscreen mode

b. SQL Injection

Avoid direct SQL queries. Use ORM tools like TypeORM or Prisma:

const user = await userRepository.findOne({ where: { id: userId } });
Enter fullscreen mode Exit fullscreen mode

5. Authentication and Authorization

a. OAuth and JWT

TypeScript helps enforce strong typing in authentication flows:

interface JwtPayload {
  userId: string;
  roles: string[];
}

const decoded: JwtPayload = jwt.verify(token, secret);
Enter fullscreen mode Exit fullscreen mode

b. Role-Based Access Control (RBAC)

Design role-based systems using TypeScript enums:

enum Role {
  Admin = "admin",
  User = "user",
}

function authorize(userRole: Role, requiredRole: Role): boolean {
  return userRole === requiredRole;
}
Enter fullscreen mode Exit fullscreen mode

6. Secure API Development

a. Type-Safe APIs

Leverage libraries like tRPC or GraphQL with TypeScript to ensure type safety across the stack:

import { z } from "zod";
import { createRouter } from "trpc/server";

const userRouter = createRouter().query("getUser", {
  input: z.object({ id: z.string() }),
  resolve({ input }) {
    return getUserById(input.id);
  },
});
Enter fullscreen mode Exit fullscreen mode

b. CORS and Headers

Configure proper headers to prevent CSRF:

app.use(cors({
  origin: "https://trusted-domain.com",
}));
Enter fullscreen mode Exit fullscreen mode

7. Secure Dependencies

a. Audit and Update

Regularly audit dependencies:

npm audit
Enter fullscreen mode Exit fullscreen mode

Update with:

npm update
Enter fullscreen mode Exit fullscreen mode

b. Use Types

Prefer typed packages to reduce vulnerabilities caused by incorrect usage.

8. Static Code Analysis

Use tools like ESLint with security plugins:

npm install eslint-plugin-security --save-dev
Enter fullscreen mode Exit fullscreen mode

Configure rules to flag insecure patterns.

9. Deployment Security

a. Environment Variables

Never hardcode sensitive data. Use .env files:

const dbPassword = process.env.DB_PASSWORD;
Enter fullscreen mode Exit fullscreen mode

b. Minify and Obfuscate

Use tools like Webpack for production builds:

webpack --mode production
Enter fullscreen mode Exit fullscreen mode

10. Monitoring and Incident Response

Set up logging and monitoring:

  • Use tools like Sentry for error tracking.
  • Monitor application logs with ELK (Elasticsearch, Logstash, Kibana).

Conclusion

Securing TypeScript applications requires a multi-layered approach, from leveraging the language's strong typing system to integrating runtime protections and secure deployment practices. While TypeScript provides a strong foundation for building safer applications, ultimate security demands vigilance at every stage from development to production.

*Well, See you in the next article lad! *😉

My personal website: https://shafayet.zya.me

Comments 11 total

  • Shihab Malayil
    Shihab MalayilJan 2, 2025

    Great article 👍🏻
    I haven’t used TypeScript this much deeply. Thanks

  • Nozibul Islam
    Nozibul IslamJan 2, 2025

    Great, thanks

  • Rodrigo Veiga
    Rodrigo VeigaJan 3, 2025

    Great article 🙌! Definitely will go back to this when needed

    • Shafayet Hossain Yashfi
      Shafayet Hossain YashfiJan 4, 2025

      Thanks! 🙌 Glad it’ll be handy. Reach out if you ever need help!!!🥰
      I'll be there always😉

  • Sebastián Rojas Ricaurte
    Sebastián Rojas RicaurteJan 3, 2025

    I think Angular that's care of most of it

    • Shafayet Hossain Yashfi
      Shafayet Hossain YashfiJan 4, 2025

      True, Angular does handle many security aspects like input sanitization and CSRF protection. But even with Angular, it's crucial to maintain secure practices. Think about safe API usage, authentication, and validating data on both client and server. Tools can only do so much; a strong security mindset is always key!!

  • Teeksha S
    Teeksha SJan 4, 2025

    Great article. It will help me alot. I have one query. If In the user ID have combination with numbers and alphabets. Then how to take users ID number or string. Please help me this sinario.

    • Shafayet Hossain Yashfi
      Shafayet Hossain YashfiJan 4, 2025

      Thank you for your kind words!🖤 For your query, you can use regular expressions to separate the numbers and letters. Here's an example:

      function extractParts(userId: string) {
  const numbers = userId.match(/\d+/g)?.join('') || '';
  const letters = userId.match(/[a-zA-Z]+/g)?.join('') || '';
  return { numbers, letters };
}

const result = extractParts("abc123");
console.log(result); // { numbers: "123", letters: "abc" }
      Enter fullscreen mode Exit fullscreen mode

      Let me know if you get stuck...😉

Add comment