Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure by default? #112

Closed
taylorhakes opened this issue Jan 18, 2016 · 4 comments
Closed

Secure by default? #112

taylorhakes opened this issue Jan 18, 2016 · 4 comments

Comments

@taylorhakes
Copy link
Contributor

I have been giving a lot of thought about issues with Express, Koa and Hapi, etc. One of their biggest issues is ease of use. You have to install 20 other NPM modules to get a working app. It is manageable for an advanced Node developer, but completely overwhelming for intermediates and beginners. Nodal seems to solve this by making it "just work" out of the box.

An even bigger issue with the other libraries/frameworks, is that they are not secure by default or make the user need to be versed in all the security issues that can arise in a sever app. This makes it very easy for even advanced developers to shoot themselves in the foot.

Some things I am talking about are:

Headers:
Force CSP Headers
Force X-Frame-Options/Frame-Options Headers
Force X-XSS-Protection
X-Content-Type-Options 'nosniff'

Controllers
Force strong parameter validation on all POST/PUT/DELETE Related Issue
Strip HTML by default to avoid XSS
Add CSRF tokens to all session based POST/PUT/DELETE

Models
Block showing sensitive fields such as user's password (encrypted or not) in any request
Block SQL injection attacks by checking strings and object types

Others
Avoid eval
Avoid command injection

And others

Is this a design decision in Nodal? I know some of these would be in direct conflict with "just work", but I think they would be very important to making production secure apps. I would be very interested in helping anyway I can.
@keithwhor
Copy link
Owner

These are all excellent points. We can put this on the roadmap for 0.7. We've had a few discussions about XSS in the gitter channel (as we want to encourage allowing multiple origins via CORS for distributed architectures, opening up more opportunities for XSS from bad clients). Haven't talked much about how to tackle it, yet.

Great ideas, thanks for the help and suggestions. If you'd like to contribute I strongly encourage you to own this portion of Nodal and submit PRs that you think will be useful. I'd like to get another minor release (0.6) out on Monday, but I think these problems can be tackled for 0.7. Join us on the gitter chat at http://gitter.im/keithwhor/nodal :)

@schahriar schahriar mentioned this issue Jan 18, 2016
Merged
@schahriar
Copy link
Contributor

@keithwhor @taylorhakes I think CSP Headers and "Block showing sensitive fields ..." should be top priorities for 0.7. It would be a great addition on top of more security features such as TLS and certificate verification in the 0.7 Roadmap.

@taylorhakes
Copy link
Contributor Author

That is great to hear. I agree that CSP and sensitive fields are very important. I can start to work on these. I will continue the discussion on gitter.

@keithwhor
Copy link
Owner

Closing issue for now --- it's in Roadmap and I know we're working on it :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@taylorhakes @keithwhor @schahriar