website security
Here are some notes I wrote for a freeCodeCamp tutorial on the use of HelmetJS and BCrypt as tools for ensuring website security. The same notes, along with the code, can be found in this GitHub repository.
Free Code Camp - Applied InfoSec Challenges
====================================================
See the app.js
file from this repo for the implementation of these various HelmetJS modules
Notes on the freeCodeCamp curriculum on information security with HelmetJS:
- Intro to information security with HelmetJS
- Install and Require Helmet:
npm install helmet --save
- PassedHide Potentially Dangerous Information Using
helmet.hidePoweredBy()
- PassedMitigate the Risk of Clickjacking with
helmet.frameguard()
- PassedMitigate the Risk of Cross Site Scripting (XSS) Attacks with
helmet.xssFilter()
- PassedAvoid Inferring the Response MIME Type with
helmet.noSniff()
- Not PassedPrevent IE from Opening Untrusted HTML with
helmet.ieNoOpen()
- Not PassedAsk Browsers to Access Your Site via HTTPS Only with
helmet.hsts()
. - Not PassedDisable DNS Prefetching with
helmet.dnsPrefetchControl()
- Not PassedDisable Client-Side Caching with
helmet.noCache()
- Not PassedSet a Content Security Policy with
helmet.contentSecurityPolicy()
- Not PassedConfigure Helmet Using the ‘parent’
helmet()
Middleware - Not PassedUnderstand BCrypt Hashes
- Not PassedHash and Compare Passwords Asynchronously
- Not PassedHash and Compare Passwords Synchronously
Other notes on HelmetJS and general website security:
-
HelmetJS site. Its documentation on the various Helmet modules is thorough and clear.
-
For an overview of website security see this MDN article. For a more comprehensive listing of security threats, see this Wikipedia article on “web security exploits”, or this Wikipedia article on cyber attacks.
-
Express has its own article which recommends the use of HelmetJS.
-
Check out this two-part article on using HelmetJS to ensure site security: part 1 and part 2.
-
Check out this article on why you should always use https, and this Wikipedia overview of https.
-
The following code comes from number 11 above. I had trouble with the
content-security-policy
on my url shortener project, version 1. I’ll bet the issue was created by a conflict with the HelmetJS security settings. Notice, in particular, the use of single quotes inside double quotes, as in"'self'"
. This is a quirk particular to the use ofcontentSecurityPolicy()
.
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "trusted-cdn.com"]
}
}))
- Important: According to the freeCodeCamp explanation of number 12 above, all of the HelmetJS modules except for
noCache()
andcontentSecurityPolicy()
are included with the use of the parenthelmet()
module. They are each demonstrated in the tutorial just for thorough understanding.
BCrypt challenges
For some strange reason, freeCodeCamp has included a discussion of the BCrypt npm plugin within its larger discussion of HelmetJS. Check out my separate Glitch repository notes on BCrypt.
- Pay particular attention to the code in the
server.js
file. In fact, this stuff is important. Let me copy the code below.
'use strict';
const express = require('express');
const bodyParser = require('body-parser');
const fccTesting = require('./freeCodeCamp/fcctesting.js');
const app = express();
fccTesting(app); //For FCC testing purposes
const bcrypt = require("bcrypt")
const saltRounds = 12;
const myPlaintextPassword = 'sUperpassw0rd!';
const someOtherPlaintextPassword = 'pass123';
bcrypt.hash(myPlaintextPassword, saltRounds, (err, hash) => {
console.log(hash)
bcrypt.compare(myPlaintextPassword, hash, (err, res) => {
console.log(res)
})
})
app.listen(process.env.PORT || 3000, () => {});