Node.js

Supported versions

Agents can be installed only in Linux environments. Windows is not supported.

Code protection features

Some of the code protection features are enabled only when specific components are used in the application. The table below lists the required components for a code protection feature to be enabled. No dependencies indicates the code protection feature is enabled by default, it doesn't require specific components.

Feature Requires
NodeJS versions Node.js 10, 12 and 14 with ecmascript 5 and 6
Asynchronous Body and Stream parsing Koa 2.13.1
SQL Injection
  • Node postgres 7 and 8
  • node-pg-native 3
  • mysql 2+
  • sqlite3 versions 3, 4 and 5
  • Sequelize 4+
Remote Command Execution No dependencies
Illegal File Access No dependencies
Open Redirect Node.js express version 3 and 4
Malicious Payload No dependencies
Malicious File Upload No dependencies

Download the agent

The NodeJS agent is available on the Download page.

Install the agent

The make command, gcc and libstdc++ packages need to be installed on the image for successful installation.

  1. From the root of your Node application, enter:

    npm install --save trend_app_protect,
  2. To activate Application Security, add the following as the first line of your app setup code:

    require('trend_app_protect');
    
    //import support added in version 4.5.0 and above for projects that require/support es6 modules
    import 'trend_app_protect';

    The choice of statements to use between require or import are dependent on the application itself, the modules used, and declarations in the package files. It's independent of Application Security. Some references and examples on when to use require versus import:
    1. When the server setup is done within a ES module, import can be used or otherwise require can be used.
    2. For applications built with Node version prior to version 14 require must be used. import could potentially be used but requires "--experimental-modules" node flag to be present when running the application.
    3. Generically, require must be used except when the package.json file contains {"type": "module"}, in that case import must be used.

    Please refer to the official NodeJS documentation for more details.

  3. The agent key and secret can be configured via the TREND_AP_KEY and TREND_AP_SECRET environment variables. The Key and Secret can be found under Group Settings > Group Credentials.

If you are using a configuration file instead of using environment variables, it needs to be called trend_app_protect.json and be in the application root folder, and needs to contain at least the following:

{
  "key": "my-key",
  "secret": "my-secret"
}

The environment variables will take precedence over the configuration file.