You can monitor application security for Node.js apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.

Prerequisites

• The Datadog Agent is installed and configured for your application’s operating system or container, cloud, or virtual environment.
• If your service is running with an Agent with Remote Configuration enabled and a tracing library version that supports it, you can block attackers from the Datadog UI without additional configuration of the Agent or tracing libraries.

Enabling Application & API Protection

Get started

1. Update your Datadog Node.js library package to at least version 5.0.0 (for Node 18+) or 4.0.0 (for Node 16+) or 3.10.0 (for Node.js 14+), by running one of these commands:

   npm install dd-trace@^5
   npm install dd-trace@^4
   npm install dd-trace@^3.10.0
   

   Use this migration guide to assess any breaking changes if you upgraded your library.

   App & API Protection is compatible with Express v4+ and Node.js v14+. For additional information, see Compatibility.

2. Where you import and initialize the Node.js library for APM, also enable Application & API Protection. This might be either in your code or with environment variables. If you initialized APM in code, add {appsec: true} to your init statement:

   // This line must come before importing any instrumented module.
   const tracer = require('dd-trace').init({
     appsec: true,
     tracing: false // To disable APM tracing and use security features only
   })
   

   For TypeScript and bundlers that support EcmaScript Module syntax, initialize the tracer in a separate file in order to maintain correct load order.

   // server.ts
   import './tracer'; // must come before importing any instrumented module.
   
   // tracer.ts
   import tracer from 'dd-trace';
   tracer.init({
     appsec: true,
     tracing: false // To disable APM tracing and use security features only
   }); // initialized in a different file to avoid hoisting.
   export default tracer;
   

   If the default config is sufficient, or all configuration is done through environment variables, you can also use dd-trace/init, which loads and initializes in one step.

   import `dd-trace/init`;
   

   Or if you initialize the APM library on the command line using the --require option to Node.js:

   node --require dd-trace/init app.js
   

   Then use environment variables to enable Application & API Protection:

   DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false node app.js
   

   How you do this varies depending on where your service runs:

   Update your configuration container for APM by adding the following arguments in your docker run command:

   docker run [...] -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...]
   

   Add the following environment variable values to your container Dockerfile:

   ENV DD_APPSEC_ENABLED=true
   ENV DD_APM_TRACING_ENABLED=false
   

   Update your configuration yaml file container for APM and add the Application & API Protection env variables:

   spec:
     template:
       spec:
         containers:
           - name: <CONTAINER_NAME>
             image: <CONTAINER_IMAGE>/<TAG>
             env:
               - name: DD_APPSEC_ENABLED
                 value: "true"
               - name: DD_APM_TRACING_ENABLED
                 value: "false"
   

   Update your ECS task definition JSON file, by adding these in the environment section:

   "environment": [
     ...,
     {
       "name": "DD_APPSEC_ENABLED",
       "value": "true"
     },
     {
       "name": "DD_APM_TRACING_ENABLED",
       "value": "false"
     }
   ]
   

   Initialize Application & API Protection in your code or set environment variables in your service invocation:

   DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false node app.js
   

이 구성을 완료하면 라이브러리가 애플리케이션에서 보안 데이터를 수집해 에이전트로 전송하고, 이 데이터는 다시 Datadog로 전송됩니다. 그러면 기본 감지 규칙에 기반해 공격자 기술과 잠재 구성 오류가 플래그되며, 이를 기반으로 문제 해결 단계를 진행할 수 있습니다.

3. 애플리케이션 보안 관리에서 감지 활동을 잘 하고 있는지 확인하려면 알려진 공격 패턴을 애플리케이션으로 보내세요. 예를 들어 다음 curl 스크립트가 포함된 파일을 실행해 보안 스캐너 감지됨 규칙을 트리거할 수 있습니다.

   for ((i=1;i<=250;i++)); 
   do
   # Target existing service’s routes
   curl https://your-application-url/existing-route -A dd-test-scanner-log;
   # Target non existing service’s routes
   curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
   done

   참고: dd-test-scanner-log 값은 최신 릴리스에서 지원됩니다.

   애플리케이션을 활성화하고 실행한 몇 분 후 Application Signals Explorer에서 위협 정보가 표시되고 Vulnerability Explorer에 취약 정보가 표시됩니다.

If you need additional assistance, contact Datadog support.

Further Reading

추가 유용한 문서, 링크 및 기사:

Adding user information to tracesDOCUMENTATION Node.js Datadog library source codeSOURCE CODE OOTB App & API Protection RulesDOCUMENTATION Troubleshooting App & API ProtectionDOCUMENTATION