forked from OWASP/NodeGoat
-
Notifications
You must be signed in to change notification settings - Fork 0
/
server.js
157 lines (134 loc) · 4.75 KB
/
server.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
"use strict";
const express = require("express");
const favicon = require("serve-favicon");
const bodyParser = require("body-parser");
const session = require("express-session");
// const csrf = require('csurf');
const consolidate = require("consolidate"); // Templating library adapter for Express
const swig = require("swig");
// const helmet = require("helmet");
const MongoClient = require("mongodb").MongoClient; // Driver for connecting to MongoDB
const http = require("http");
const marked = require("marked");
//const nosniff = require('dont-sniff-mimetype');
const app = express(); // Web framework to handle routing requests
const routes = require("./app/routes");
const { port, db, cookieSecret } = require("./config/config"); // Application config properties
/*
// Fix for A6-Sensitive Data Exposure
// Load keys for establishing secure HTTPS connection
const fs = require("fs");
const https = require("https");
const path = require("path");
const httpsOptions = {
key: fs.readFileSync(path.resolve(__dirname, "./artifacts/cert/server.key")),
cert: fs.readFileSync(path.resolve(__dirname, "./artifacts/cert/server.crt"))
};
*/
MongoClient.connect(db, (err, db) => {
if (err) {
console.log("Error: DB: connect");
console.log(err);
process.exit(1);
}
console.log(`Connected to the database`);
/*
// Fix for A5 - Security MisConfig
// TODO: Review the rest of helmet options, like "xssFilter"
// Remove default x-powered-by response header
app.disable("x-powered-by");
// Prevent opening page in frame or iframe to protect from clickjacking
app.use(helmet.frameguard()); //xframe deprecated
// Prevents browser from caching and storing page
app.use(helmet.noCache());
// Allow loading resources only from white-listed domains
app.use(helmet.contentSecurityPolicy()); //csp deprecated
// Allow communication only on HTTPS
app.use(helmet.hsts());
// TODO: Add another vuln: https://github.com/helmetjs/helmet/issues/26
// Enable XSS filter in IE (On by default)
// app.use(helmet.iexss());
// Now it should be used in hit way, but the README alerts that could be
// dangerous, like specified in the issue.
// app.use(helmet.xssFilter({ setOnOldIE: true }));
// Forces browser to only use the Content-Type set in the response header instead of sniffing or guessing it
app.use(nosniff());
*/
// Adding/ remove HTTP Headers for security
app.use(favicon(__dirname + "/app/assets/favicon.ico"));
// Express middleware to populate "req.body" so we can access POST variables
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({
// Mandatory in Express v4
extended: false
}));
// Enable session management using express middleware
app.use(session({
// genid: (req) => {
// return genuuid() // use UUIDs for session IDs
//},
secret: cookieSecret,
// Both mandatory in Express v4
saveUninitialized: true,
resave: true
/*
// Fix for A5 - Security MisConfig
// Use generic cookie name
key: "sessionId",
*/
/*
// Fix for A3 - XSS
// TODO: Add "maxAge"
cookie: {
httpOnly: true
// Remember to start an HTTPS server to get this working
// secure: true
}
*/
}));
/*
// Fix for A8 - CSRF
// Enable Express csrf protection
app.use(csrf());
// Make csrf token available in templates
app.use((req, res, next) => {
res.locals.csrftoken = req.csrfToken();
next();
});
*/
// Register templating engine
app.engine(".html", consolidate.swig);
app.set("view engine", "html");
app.set("views", `${__dirname}/app/views`);
// Fix for A5 - Security MisConfig
// TODO: make sure assets are declared before app.use(session())
app.use(express.static(`${__dirname}/app/assets`));
// Initializing marked library
// Fix for A9 - Insecure Dependencies
marked.setOptions({
sanitize: true
});
app.locals.marked = marked;
// Application routes
routes(app, db);
// Template system setup
swig.setDefaults({
// Autoescape disabled
autoescape: false
/*
// Fix for A3 - XSS, enable auto escaping
autoescape: true // default value
*/
});
// Insecure HTTP connection
http.createServer(app).listen(port, () => {
console.log(`Express http server listening on port ${port}`);
});
/*
// Fix for A6-Sensitive Data Exposure
// Use secure HTTPS protocol
https.createServer(httpsOptions, app).listen(port, () => {
console.log(`Express http server listening on port ${port}`);
});
*/
});