8758. Express Security - DraftExpress
Introduce how to build secure web application with express.
throw error
fs.readFile("myfile.txt", function(err, data) {
if (err) {
console.error(err);
throw err;
}
console.log(data);
});
Parse query strings
//http://mysearchengine.com/search?q=crockford+backflip+video
app.get("/search", function(req, res) {
var search = req.query.q.replace(/\+/g, " ");
// … do something with the search …
});
//http://mysearchengine.com/search?crockford+backflip+video, no q
app.get("/search", function(req, res) {
var search = req.query.q || "";
var terms = search.split("+");
// … do something with the search …
});
//http://mysearchengine.com/search?q=abc&q=xyz, two q parameters
var arrayWrap = require("arraywrap");
// …
app.get("/search", function(req, res) {
var search = arrayWrap(req.query.q || "");
var terms = search[0].split("+");
// … do something with the terms …
});
SSL, HTTPS express-enforces-ssl FORCE USERS TO HTTPS
var enforceSSL = require("express-enforces-ssl");
// …
app.enable("trust proxy");
app.use(enforceSSL());
KEEP USERS ON HTTPS HTTP Strict Transport Security (HSTS) Strict-Transport-Security: max-age=31536000 https://github.com/helmetjs/helmet
cross-site scripting (XSS) attack ESCAPING USER INPUT
Hello, <script src="http://evil.com/hack.js"></script>world.
Hello, <script src="http://evil.com/hack.js"></script>world.
set the X-XSS-Protection header app.use(helmet.xssFilter());
PROTECTING AGAINST CSRF IN EXPRESS https://github.com/expressjs/csurf
var csrf = require("csurf");
// …
app.use(csrf());
app.get("/", function(req, res) {
res.render("myview", {
csrfToken: req.csrfToken()
});
});
server render
<form method="post" action="/submit">
<input name="_csrf" value="<%= csrfToken %>" type="hidden">
...
</form>
Keeping your dependencies up to date find out which versions were out of date: npm outdated
Node Security Project https://nodesecurity.io/advisories
npm install –g nsp nsp audit-package
Handling server crashes, forever
npm install forever --save
"scripts": {
"start": "forever app.js"
}
Various little tricks app.disable(“x-powered-by”);
X-Frame-Options
app.use(helmet.frameguard("sameorigin"));
// or …
app.use(helmet.frameguard("deny"));
restrictive crossdomain.xml
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="none">
</cross-domain-policy>
app.use(helmet.noSniff());