-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure by default? #112
Comments
These are all excellent points. We can put this on the roadmap for 0.7. We've had a few discussions about XSS in the gitter channel (as we want to encourage allowing multiple origins via CORS for distributed architectures, opening up more opportunities for XSS from bad clients). Haven't talked much about how to tackle it, yet. Great ideas, thanks for the help and suggestions. If you'd like to contribute I strongly encourage you to own this portion of Nodal and submit PRs that you think will be useful. I'd like to get another minor release (0.6) out on Monday, but I think these problems can be tackled for 0.7. Join us on the gitter chat at http://gitter.im/keithwhor/nodal :) |
@keithwhor @taylorhakes I think CSP Headers and "Block showing sensitive fields ..." should be top priorities for 0.7. It would be a great addition on top of more security features such as TLS and certificate verification in the 0.7 Roadmap. |
That is great to hear. I agree that CSP and sensitive fields are very important. I can start to work on these. I will continue the discussion on gitter. |
Closing issue for now --- it's in Roadmap and I know we're working on it :) |
I have been giving a lot of thought about issues with Express, Koa and Hapi, etc. One of their biggest issues is ease of use. You have to install 20 other NPM modules to get a working app. It is manageable for an advanced Node developer, but completely overwhelming for intermediates and beginners. Nodal seems to solve this by making it "just work" out of the box.
An even bigger issue with the other libraries/frameworks, is that they are not secure by default or make the user need to be versed in all the security issues that can arise in a sever app. This makes it very easy for even advanced developers to shoot themselves in the foot.
Some things I am talking about are:
Headers:
Force CSP Headers
Force X-Frame-Options/Frame-Options Headers
Force X-XSS-Protection
X-Content-Type-Options 'nosniff'
Controllers
Force strong parameter validation on all POST/PUT/DELETE Related Issue
Strip HTML by default to avoid XSS
Add CSRF tokens to all session based POST/PUT/DELETE
Models
Block showing sensitive fields such as user's password (encrypted or not) in any request
Block SQL injection attacks by checking strings and object types
Others
Avoid
eval
Avoid command injection
And others
Is this a design decision in Nodal? I know some of these would be in direct conflict with "just work", but I think they would be very important to making production secure apps. I would be very interested in helping anyway I can.
The text was updated successfully, but these errors were encountered: