The latest articles on DEV Community by Yang Li (@liyang51827). https://dev.to/liyang51827 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1095548%2F75f5d5da-5d79-4169-b12f-cf7936fe38cc.png https://dev.to/liyang51827 en Yang Li Fri, 11 Aug 2023 14:00:33 +0000 https://dev.to/liyang51827/were-open-now-drape-fit-is-no-longer-available-3hmj https://dev.to/liyang51827/were-open-now-drape-fit-is-no-longer-available-3hmj <p>I'd like to make some of my private ex-projects <strong>public</strong> now.</p> <h2> 😱 How? Why? </h2> <h2> <a href="https://github.com/liyang51827/drapefit-new-trial-mern">📌 drapefit-new-trial-mern</a> </h2> <blockquote> <h3> New version <strong><em>TRIAL</em></strong> of <a href="https://www.drapefit.com">Drape Fit</a> Web App using <code>MERN</code> </h3> <h2> <strong>ATTENTION!</strong> - Do not TRUST this <em>deprecated</em> styling service anymore!!! </h2> </blockquote> <h3> I hope this archived project source would be helpful to whom want to learn <code>MERN</code> at production level... </h3> <h2> System Architecture Diagram </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--AqznOVNu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g2vm5226l51ax9igyym4.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--AqznOVNu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g2vm5226l51ax9igyym4.png" alt="Image description" width="800" height="518"></a></p> <h2> Pre-requisites </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">current release</span><span class="pi">:</span> <span class="s">v0.1.5</span> <span class="na">latest working</span><span class="pi">:</span> <span class="s">v0.1.6</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">node.js version</span><span class="pi">:</span> <span class="s">^18.12.0</span> <span class="na">mongodb version</span><span class="pi">:</span> <span class="s">^6.0.4</span> <span class="na">yarn version</span><span class="pi">:</span> <span class="s">^1.22.4</span> </code></pre> </div> <p>Please refer to the <code>scripts</code> part of <strong>./package.json</strong> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"backend"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node --max-old-space-size=4096 backend/server.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"backend:hotdev"</span><span class="p">:</span><span class="w"> </span><span class="s2">"nodemon --max-old-space-size=4096 backend/server.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm start --prefix frontend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dev"</span><span class="p">:</span><span class="w"> </span><span class="s2">"concurrently </span><span class="se">\"</span><span class="s2">npm run backend:hotdev</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">npm run client</span><span class="se">\"</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"test:server_mocha"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mocha -r esm backend/app.test.js --exit"</span><span class="p">,</span><span class="w"> </span><span class="nl">"test:client_jest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run test --prefix frontend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"test:c8"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx c8 node backend/app.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"test:c8_report"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx c8 report &amp;&amp; start </span><span class="se">\"\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">coverage/index.html</span><span class="se">\"</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client:build"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run build --prefix frontend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"server:local"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run client:build &amp;&amp; node --max-old-space-size=4096 backend/server.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"server:ec2_dev"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pm2 start ecosystem.config.js --node-args=</span><span class="se">\"</span><span class="s2">--experimental-loader newrelic/esm-loader.mjs --max-old-space-size=4096</span><span class="se">\"</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"server:ec2_prod"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run client:build &amp;&amp; pm2 start ecosystem.config.js --node-args=</span><span class="se">\"</span><span class="s2">--experimental-loader newrelic/esm-loader.mjs --max-old-space-size=8192</span><span class="se">\"</span><span class="s2">"</span><span class="w"> </span><span class="p">}</span><span class="err">,</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install node modules</span> <span class="nv">$ </span>yarn <span class="nb">install</span> <span class="c"># Launch local live servers</span> <span class="nv">$ </span>yarn run dev <span class="c"># Launch AWS EC2 remote server in development mode</span> <span class="nv">$ </span>yarn run server:ec2_dev <span class="c"># Make backend unit test using Mocha</span> <span class="nv">$ </span>yarn run <span class="nb">test</span>:server_mocha </code></pre> </div> <p>Visit</p> <ul> <li><a href="http://localhost:5180/">http://localhost:5180/</a></li> <li><a href="http://localhost:3000/">http://localhost:3000/</a></li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--dqm17I39--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ymrmn7mdkkumlxcqexte.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--dqm17I39--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ymrmn7mdkkumlxcqexte.png" alt="Image description" width="800" height="435"></a></p> <h2> User Authentication with Redux Toolkit </h2> <blockquote> <p>Authentication workflow built with the MERN stack &amp; Redux Toolkit.</p> </blockquote> <h3> Features </h3> <ul> <li>User Login/SignIn &amp; SignUp</li> <li>Protected routes with React Router v6</li> <li>JWT storage with LocalStorage</li> <li>Automatically fetches user details on page load (Header.js)</li> <li>React Redux</li> </ul> <h3> Usage </h3> <h4> <strong>Environment Variables</strong> </h4> <p><code>*.env</code> files are as the followings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; ./environments/dev.env &gt; ./environments/prod.env </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">NODE_ENV=YOUR_NODE_ENV</span> <span class="c1"># development | production</span> <span class="c1">## Ports</span> <span class="s">PORT=YOUR_PORT</span> <span class="s">PORT_REACT=YOUR_REACT_PORT</span> <span class="c1">## MongoDB</span> <span class="s">MONGO_URI_MAIN=YOUR_MONGO_URI_MAIN</span> <span class="s">MONGO_URI_INVENTORY=YOUR_MONGO_URI_INVENTORY</span> <span class="s">MONGO_URI_SUPPLIER=YOUR_MONGO_URI_SUPPLIER</span> <span class="s">MONGO_URI_MERCHANDISE=YOUR_MONGO_URI_MERCHANDISE</span> <span class="c1">## Secrets / Keys</span> <span class="s">JWT_SECRET=YOUR_JWT_SECRET</span> <span class="s">BEARER_TOKEN_PREFIX=YOUR_BEARER_TOKEN_PREFIX</span> <span class="c1">## AWS Server</span> <span class="s">SERVER_IP=YOUR_SERVER_IP</span> <span class="s">SERVER_DOMAIN=YOUR_SERVER_DOMAIN</span> <span class="s">AWS_REGION=YOUR_AWS_REGION</span> <span class="s">S3_BUCKET_NAME=YOUR_S3_BUCKET_NAME</span> <span class="c1">## Multer Upload</span> <span class="s">MULTER_DEST_DIR=YOUR_MULTER_DEST_DIR</span> <span class="c1">## Email</span> <span class="s">DRAPEFIT_SVC_MAIL=YOUR_DRAPEFIT_SVC_MAIL</span> <span class="s">SUPER_ADMIN_EMAIL=YOUR_SUPER_ADMIN_EMAIL</span> <span class="s">SUPER_ADMIN_INITPWD=SUPER_ADMIN_INITIAL_PASSWORD</span> <span class="c1">## Payment - Stripe</span> <span class="s">STRIPE_TEST_SK=YOUR_STRIPE_TEST_SECRET_KEY</span> <span class="s">STRIPE_LIVE_SK=YOUR_STRIPE_LIVE_SECRET_KEY</span> <span class="s">STRIPE_ENDPT_SECRET=YOUR_STRIPE_ENDPOINT_SECRET</span> </code></pre> </div> <h4> <strong>Frontend (React) Config Variables</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>frontend/src/configs/MyEnvConfig.js </code></pre> </div> <p><code>MyEnvConfig.js</code> file is as below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="k">default</span> <span class="p">{</span> <span class="na">baseurl</span><span class="p">:</span> <span class="p">{</span> <span class="na">dev</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_DEV_BASEURL</span><span class="dl">'</span><span class="p">,</span> <span class="na">prod</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_PROD_BASEURL</span><span class="dl">'</span> <span class="p">},</span> <span class="na">stripe</span><span class="p">:</span> <span class="p">{</span> <span class="na">pbKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pk_test_YOUR_PUBLISHABLE_KEY</span><span class="dl">'</span> <span class="p">},</span> <span class="na">bearer</span><span class="p">:</span> <span class="p">{</span> <span class="na">tokenPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_BEARER_TOKEN_PREFIX</span><span class="dl">'</span> <span class="p">},</span> <span class="na">gcaptcha</span><span class="p">:</span> <span class="p">{</span> <span class="na">siteKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_GOOGLE_RECAPTCHA_SITEKEY</span><span class="dl">'</span> <span class="p">},</span> <span class="na">aws</span><span class="p">:</span> <span class="p">{</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_AWS_REGION</span><span class="dl">'</span><span class="p">,</span> <span class="na">s3Bucket</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_S3_BUCKET</span><span class="dl">'</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h4> <strong>AWS Credentials by Files</strong> </h4> <blockquote> <p>This is necessary for <strong>AWS JavaScript SDK</strong> integration.</p> </blockquote> <ul> <li> <strong><code>~/.aws/credentials</code></strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">[</span><span class="nv">default</span><span class="pi">]</span> <span class="s">aws_access_key_id=YOUR_AWS_ACCESS_KEY_ID</span> <span class="s">aws_secret_access_key=YOUR_AWS_SECRET_ACCESS_KEY</span> </code></pre> </div> <ul> <li> <strong><code>~/.aws/config</code></strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">[</span><span class="nv">default</span><span class="pi">]</span> <span class="s">aws_access_key_id=YOUR_AWS_ACCESS_KEY_ID</span> <span class="s">aws_secret_access_key=YOUR_AWS_SECRET_ACCESS_KEY</span> </code></pre> </div> <p>For details, please refer <a href="https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/modules/_aws_sdk_credential_providers.html#sample-files">here</a>.</p> <p>For <strong>Win 10</strong>, the path would be the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>C:\Users\admin\.aws </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--LTcBBP-n--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/pi625tyq8td3qo5381a3.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--LTcBBP-n--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/pi625tyq8td3qo5381a3.png" alt="Image description" width="636" height="133"></a></p> <p>For <strong>Ubuntu 20.04</strong> on AWS EC2, the path would be the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/home/ubuntu/.aws </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--yXTyYHO2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/h7ebko25sw6kk5pds5p5.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--yXTyYHO2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/h7ebko25sw6kk5pds5p5.png" alt="Image description" width="536" height="207"></a></p> <h4> <strong>Install Dependencies</strong> </h4> <p>Backend &amp; Frontend<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>yarn <span class="nb">install</span> <span class="nv">$ </span><span class="nb">cd </span>backend <span class="nv">$ </span>yarn <span class="nb">install</span> <span class="nv">$ </span><span class="nb">cd </span>frontend <span class="nv">$ </span>yarn <span class="nb">install</span> </code></pre> </div> <h3> 📌 <strong>Fix Low Space Issue on Free-Tier EC2 Instance</strong> </h3> <blockquote> <p><code>Low space issue might occur MongoDB server down</code>💦<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Remove temp files (ONLY on Emergency!!!)</span> <span class="nv">$ </span><span class="nb">sudo rm</span> <span class="nt">-rf</span> /tmp/<span class="k">*</span> <span class="c"># Clear current user's general cache (ONLY on Emergency!!!)</span> <span class="c">## Resolving the ‘No Space Left on Device’ Error on Linux</span> <span class="nv">$ </span><span class="nb">sudo rm</span> <span class="nt">-rf</span> ~/.cache/<span class="k">*</span> <span class="c"># Remove APT cache</span> <span class="c">## check the disk space consumed</span> <span class="nv">$ </span><span class="nb">sudo du</span> <span class="nt">-csh</span> /var/cache/apt <span class="c">## clean this cache</span> <span class="nv">$ </span><span class="nb">sudo </span>apt-get clean <span class="c">## if clean up only the outdated packages</span> <span class="nv">$ </span><span class="nb">sudo </span>apt-get autoclean <span class="c"># Clean journal logs</span> <span class="c">## check the log size</span> <span class="nv">$ </span><span class="nb">sudo </span>journalctl <span class="nt">--disk-usage</span> <span class="c">## clear these logs which are older than certain days (e.g. 2 days)</span> <span class="nv">$ </span><span class="nb">sudo </span>journalctl <span class="nt">--vacuum-time</span><span class="o">=</span>2d <span class="c"># Remove old kernels (optional)</span> <span class="nv">$ </span><span class="nb">sudo </span>apt-get autoremove <span class="nt">--purge</span> </code></pre> </div> <blockquote> <p>📘 <code>Listing file sizes in folder</code><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">du</span> <span class="nt">-hsc</span> <span class="k">*</span> | <span class="nb">sort</span> <span class="nt">-hr</span> </code></pre> </div> <blockquote> <p>🎯 <code>MongoDB LogRotate on Ubuntu 20.04</code></p> </blockquote> <p>We sometimes experience that the MongoDB server would get down on the EC2 test instance unexpectedly.<br><br> Trying to find out what might let the DB server down, I've noticed that the MongoDB log file's size is extremely large, even bigger than 100MB.<br><br> Since stdin &amp; stdout processes such as logging are really memory-costing, it would be certainly an overload for the EC2 test instance of small tier.<br><br> To solve this issue, I've introduced the LogRotate function of Ubuntu to the MongoDB server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>nano /etc/logrotate.d/mongod </code></pre> </div> <p>Copy and paste the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/var/log/mongodb/*.log { daily rotate 30 compress dateext missingok notifempty sharedscripts postrotate /bin/kill -SIGUSR1 `cat /var/lib/mongodb/mongod.lock 2&gt; /dev/null` 2&gt; /dev/null || true systemctl restart mongod endscript } </code></pre> </div> <p>To test the configuration running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>logrotate <span class="nt">-f</span> <span class="nt">-v</span> /etc/logrotate.d/mongod </code></pre> </div> <h2> <a href="https://github.com/liyang51827/drapefit-cakephp">📌 drapefit-cakephp</a> </h2> <p>Full Source code for Drape Fit (<a href="https://www.drapefit.com">https://www.drapefit.com</a>) which is hosted on cPanel.</p> <h3> I hope this archived project source would be helpful to whom want to learn <code>CakePHP</code> at production level... </h3> <h2> Database - MySQL </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>| |- db_dump_mysql |--| |--|-- drapefit_test.sql | </code></pre> </div> <h2> Style Guide - WordPress </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>| |- styleguide |--| | </code></pre> </div> <h2> Inventory Page </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>| |- inventory |--| | </code></pre> </div> <h2> Supplier Page </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>| |- supplier |--| | </code></pre> </div> <p>😱🎃</p> Yang Li Mon, 05 Jun 2023 05:21:02 +0000 https://dev.to/liyang51827/thoughts-on-how-to-prevent-nosql-injection-for-nodejs-express-server-b1m https://dev.to/liyang51827/thoughts-on-how-to-prevent-nosql-injection-for-nodejs-express-server-b1m <p><strong>NoSQL injection is a type of vulnerability where an attacker is able to inject arbitrary text into NoSQL queries.</strong></p> <p><em>NoSQL injections are very similar to the traditional SQL injection attack, except that the attack is against a NoSQL database.</em> NoSQL is a general term for any database that does not use SQL, a common database management system (DBMS) that utilizes NoSQL is MongoDB.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9q3dwa4gastqcl88ms6o.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9q3dwa4gastqcl88ms6o.png" alt="NoSQL injection diagram"></a></p> <p>In this post, I’d like to describe the followings to show how to prevent NoSQL injection:</p> <ol> <li>Build a simple NodeJS app</li> <li>Understand what a NoSQL Injection attack is</li> <li>Use a <code>npm</code> package to prevent attacks</li> </ol> <p>For prerequisites, let us assume that we have a ready-to-use MongoDB cluster or a local MongoDB installation and have the connection URI, e.g. <a href="http://localhost:27017" rel="noopener noreferrer">http://localhost:27017</a>.</p> <h2> Project Setup </h2> <p>Let us initialize our node.js app and install a couple of packages. Run the following commands in an empty folder.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>npm init <span class="nt">-y</span> <span class="nv">$ </span>npm i express mongoose <span class="nv">$ </span>npm i nodemon dotenv <span class="nt">-D</span> </code></pre> </div> <p>Or, use <code>Yarn</code> instead.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>npm init <span class="nt">-y</span> <span class="nv">$ </span>yarn add express mongoose <span class="nv">$ </span>yarn add nodemon dotenv –-dev </code></pre> </div> <p>Create <code>app.js</code> and <code>models/user.model.js</code>.</p> <h3> app.js </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dotenv</span><span class="dl">'</span><span class="p">).</span><span class="nf">config</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">mongoose</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">mongoose</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">routes</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/index</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">routes</span><span class="p">);</span> <span class="nx">mongoose</span> <span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MONGODB_URI</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Mongoose connected 🍃</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Server is up and running 🚀</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="p">})</span> <span class="p">.</span><span class="k">catch</span><span class="p">((</span><span class="nx">error</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> models/user.model.js </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">mongoose</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">mongoose</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">userSchema</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nc">Schema</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">password</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">User</span> <span class="o">=</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nf">model</span><span class="p">(</span><span class="dl">'</span><span class="s1">User</span><span class="dl">'</span><span class="p">,</span> <span class="nx">userSchema</span><span class="p">);</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">User</span><span class="p">;</span> </code></pre> </div> <p>With the setup out of the way, let us start by looking at a simple NoSQL attack.<br> For demonstration purposes, I'll create a simple routing file.</p> <h3> routes/index.js </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">User</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../models/user.model</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">users</span><span class="p">:</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">find</span><span class="p">({}).</span><span class="nf">exec</span><span class="p">()</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}).</span><span class="nf">exec</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="s2">`Logged in as </span><span class="p">${</span><span class="nx">user</span><span class="p">.</span><span class="nx">username</span><span class="p">}</span><span class="s2">`</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <p>It's time to make a GET request to <code>/users</code> to see what we have. As mentioned previously, we will be using <strong>Postman</strong>.</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="s">// GET localhost:3000/users</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">users"</span><span class="pi">:</span> <span class="pi">[</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">_id"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">6125401c491c0b0bfd123165"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">username"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test1"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">password"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">123456"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">__v"</span><span class="pi">:</span> <span class="nv">0</span> <span class="pi">},</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">_id"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">6125401c491c0b0bfd123166"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">username"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test2"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">password"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">abcdef"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">__v"</span><span class="pi">:</span> <span class="nv">0</span> <span class="pi">},</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">_id"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">6125401c491c0b0bfd123167"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">username"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test3"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">password"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sdjndsn"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">__v"</span><span class="pi">:</span> <span class="nv">0</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">}</span> </code></pre> </div> <p>This is the response that the server returns. As seen from the code block above, we have three users (Passwords are shown for demonstration purposes) for example.</p> <p>Next, try to log in using one of the credentials. Make a POST request to <code>/login</code> with the request body below.</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"test1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123456"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>We would get the following response. Everything seems pretty normal up to this point, so let us dive deeper!</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="s">// POST localhost:3000/login</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">message"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Logged</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">as</span><span class="nv"> </span><span class="s">test1"</span> <span class="pi">}</span> </code></pre> </div> <h2> Perform a demo NoSQL injection!!! </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6gx2gffprmoru49cyfni.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6gx2gffprmoru49cyfni.png" alt="NoSQL Injection"></a></p> <p>To perform a NoSQL injection attack, simply change the password value in the body from <code>"123456"</code> to <code>{ "$ne": "null" }</code>. So, the new request body looks like the following:</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"test1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"$ne"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Hold on, please!<br> What does the <code>$ne</code> operator do? Let me explain.</p> <blockquote> <p><code>$ne</code> operator tells mongo to check for not equal to. That is, instead of checking the password for the correct value, MongoDB will simply check whether the password field is null or not. Since the password field cannot be null in any case, we can trick MongoDB into giving us the user information without knowing the password.</p> </blockquote> <p>After making a POST request to <code>/login</code> with the new modified request body, we would get the following response from the server.</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="s">// POST localhost:3000/login</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">message"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Logged</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">as</span><span class="nv"> </span><span class="s">test1"</span> <span class="pi">}</span> </code></pre> </div> <p><strong>Oh my god!</strong>😱</p> <p>There is more than one way to do the same thing. For instance, we could have used <code>{ "$gt": "" }</code> instead of the <code>$ne</code> operator.</p> <p>Fortunately, preventing this attack is as easy as performing it. Next, let us take a look at how we can prevent NoSQL injection attacks.</p> <h2> Introduce NPM module </h2> <p>We would install the <code>express-mongo-sanitize</code> package from NPM. Run the following command:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>npm i express-mongo-sanitize </code></pre> </div> <p>Or,</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>yarn add express-mongo-sanitize </code></pre> </div> <p>We can learn the details about this module here:<br> <a href="https://www.npmjs.com/package/express-mongo-sanitize" rel="noopener noreferrer">https://www.npmjs.com/package/express-mongo-sanitize</a></p> <p>Requiring the package returns a middleware function, which can then be used as in the example below.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="c1">// Prevent NoSQL injection</span> <span class="kd">const</span> <span class="nx">mongoSanitize</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-mongo-sanitize</span><span class="dl">'</span><span class="p">);</span> <span class="p">...</span> <span class="c1">// Prevent NoSQL injection</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span> <span class="nf">mongoSanitize</span><span class="p">({</span> <span class="na">onSanitize</span><span class="p">:</span> <span class="p">({</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">key</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Throw an error</span> <span class="c1">// Catch with express error handler</span> <span class="p">}</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <p>I hope this post would be a bit helpful to prevent NoSQL injection attacks when you implement your node.js express server.</p> <p>For a full source code, please refer to this GitHub repo:<br> <a href="https://github.com/liyang51827/express-nosql-injection-demo" rel="noopener noreferrer">https://github.com/liyang51827/express-nosql-injection-demo</a></p> node security nosql mongodb Yang Li Mon, 05 Jun 2023 03:32:35 +0000 https://dev.to/liyang51827/using-http-strict-transport-security-hsts-headers-in-nodejs-server-1mmn https://dev.to/liyang51827/using-http-strict-transport-security-hsts-headers-in-nodejs-server-1mmn <p>For most websites and apps, employing security-related HTTP headers has become standard practice. Websites use headers as part of HTTP requests and replies to convey information about a page or data sent via the HTTP protocol.<br> Among the many available security headers that modern web browsers use to protect users, one crucial type is the HTTP Strict Transport Security (HSTS) header. <strong>The HSTS header that a website provides tells the browser to use the HTTPS protocol on each subsequent visit.</strong></p> <p><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security" rel="noopener noreferrer">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjglfw0zpvep2nhx7ckzp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjglfw0zpvep2nhx7ckzp.png" alt="HTTP Strict Transport Security"></a></p> <p>However, despite their utility, ease of implementation, and support from virtually every browser, only about 25% of mobile and 28% of desktop HTTP responses include HSTS headers.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyainiyjho8ak1qepft5f.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyainiyjho8ak1qepft5f.jpg" alt="HSTS directives usage"></a></p> <p>Let us take an in-depth look at HSTS headers to discover how they affect web security and why we should use them on Node.js.<br> Then, I’d like to describe how to enable HSTS inside a Node.js server.</p> <h2> Why enable HSTS? </h2> <p>HTTPS connections are secure because they encrypt and decrypt transmitted data packets using SSL/TLS certificates, which well-known certificate authorities (CAs) can verify. As a result, <strong>only the user’s computer and the server can read the transmitted data packets, regardless of who intercepts the network traffic.</strong></p> <p>Typical HTTP connections are unencrypted, meaning that anyone who accesses the data can read it. These unintended recipients might include servers routing and forwarding the user’s data to its destination server or a hacker who accesses the network traffic on a public Wi-Fi router.</p> <h2> HOW DOES HSTS WORK? </h2> <p>When the HTTP response header contains an HSTS, web browsers know to always use an HTTPS connection with the server and automatically redirect users who first connected via HTTP.<br> From then on, connections to the web application or site remain encrypted and secure, enabling the app to use secure cookies and helping prevent MITM (man-in-the-middle) security attacks.</p> <p>There are three different parameters available in the HSTS header.</p> <ul> <li>MAX-AGE</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> MAX-AGE=&lt;EXPIRE-TIME&gt; </code></pre> </div> <p>This required parameter specifies the amount of time in seconds that the browser should remember to connect to the site via HTTPS. Once this time expires, the browser will load the site normally on the next visit. The expiration time is updated in the user’s browser every time it sees the HSTS header. As a result, the parameter can remain active indefinitely.<br> Alternatively, certain sites may immediately disable HSTS by setting this value to 0.</p> <ul> <li>INCLUDESUBDOMAINS</li> </ul> <p>The <code>includeSubDomains</code> parameter is an optional flag that tells the browser to enable HSTS for the website and all its subdomains. Because this setting applies broadly, we should ensure that all of our subdomains can support HTTPS before implementing the parameter.</p> <ul> <li>PRELOAD</li> </ul> <p>An initial connection could potentially use a compromised HTTP connection. In response, Google has maintained the unofficial preload parameter.<br> Most major browsers support this security header, which significantly mitigates the risk. A website can add the preload parameter to the HSTS header and then register the domain to the preload service. Browsers can then check this reference list to determine whether their initial connections can use HTTPS.</p> <h2> How to implement HSTS in Express (Node.js) </h2> <p>There are 2 options to implement HSTS in Express (Node.js) server.</p> <ul> <li>Option 1: Use <code>Helmet</code> Middleware</li> </ul> <p><a href="https://www.npmjs.com/package/helmet" rel="noopener noreferrer">https://www.npmjs.com/package/helmet</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhj3zt5wfe7x85zruptd0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhj3zt5wfe7x85zruptd0.png" alt="NPM Helmet"></a></p> <p>The first way we can set HSTS is via Helmet middleware with the app initialization:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">helmet</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">helmet</span><span class="p">.</span><span class="nf">hsts</span><span class="p">({</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">300</span><span class="p">,</span> <span class="na">includeSubDomains</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">preload</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">"</span><span class="s2">Hello secure web!</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <ul> <li>Option 2: Manually Set the Header</li> </ul> <p>Alternatively, we can manually set the HSTS header through a middleware that applies it to every reply:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">secure</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">"</span><span class="s2">Strict-Transport-Security</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">max-age=300; includeSubDomains; preload</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">"</span><span class="s2">Hello secure web!</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>We can finish the code by creating the HTTP and HTTPS servers with the following code:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">httpServer</span> <span class="o">=</span> <span class="nx">http</span><span class="p">.</span><span class="nf">createServer</span><span class="p">(</span><span class="nx">app</span><span class="p">);</span> <span class="nx">httpServer</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">80</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">HTTP server started.</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">httpsServer</span> <span class="o">=</span> <span class="nx">https</span><span class="p">.</span><span class="nf">createServer</span><span class="p">(</span><span class="nx">credentials</span><span class="p">,</span> <span class="nx">app</span><span class="p">);</span> <span class="nx">httpsServer</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">443</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">HTTPS server started</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Finally, run the server code and open a web browser.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node index.js HTTP server started HTTPS server started </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr2yk2fivihigqzl88d5b.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr2yk2fivihigqzl88d5b.png" alt="Chrome Dev Console"></a></p> <p>For a full source code, please refer to this GitHub repo:<br> <a href="https://github.com/liyang51827/express-hsts-demo" rel="noopener noreferrer">https://github.com/liyang51827/express-hsts-demo</a></p> <p>This is my first post on DEV Community 👋.<br> Thanks for your kind attention! 🙏</p> node security web express