Threat modelling is the process of identifying potential threats in a prioritized way. When it comes to Node.js and JavaScript there are lots of specific security issues that can arise.
Control Get Access to Database Social Engineering Get Access to DMZ Listen on Transport Layer Guessing Insecure Dependencies Get Access Learn Password Guessing
= Very hard or impossible, even for administrators. 5 = One or two steps required, may need to be an authorized user. 10 = Even a web browser is sufficient, without authentication.
Advanced programming and networking knowledge, with custom or advanced tool. 5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools. 10 = Just a web browser
X-Frame-Options provides clickjacking protection X-XSS-Protection enables the Cross-site scripting (XSS) filter built into most recent web browsers Content-Security-Policy prevents a wide range of attacks, including Cross-site scripting and other cross-site injections Security HTTP headers