DEV Community: Maxiviper117 The latest articles on DEV Community by Maxiviper117 (@maxiviper117). https://dev.to/maxiviper117 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F828545%2Fdbec2227-637c-4ee1-97e6-68cc13d387a3.jpeg DEV Community: Maxiviper117 https://dev.to/maxiviper117 en Securely Connect to a Remote PostgreSQL Database with SSH Tunneling Maxiviper117 Wed, 01 Oct 2025 18:11:18 +0000 https://dev.to/maxiviper117/securely-connect-to-a-remote-postgresql-database-with-ssh-tunneling-1gk2 https://dev.to/maxiviper117/securely-connect-to-a-remote-postgresql-database-with-ssh-tunneling-1gk2 <h2> Securely Connect to a Remote PostgreSQL Database with SSH Tunneling </h2> <p>Exposing your database port directly to the internet is like leaving your house unlocked with a “welcome” sign on the door. A safer approach is to use an <strong>SSH tunnel</strong> (a secure pipe between your local machine and the remote server). This way PostgreSQL can stay bound to <code>localhost</code> on the server, while you still connect from your laptop.</p> <h2> 1. Create an SSH key pair </h2> <p>If you don’t already have an SSH key, generate one locally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh-keygen <span class="nt">-t</span> ed25519 <span class="nt">-C</span> <span class="s2">"your_email@example.com"</span> </code></pre> </div> <ul> <li>Private key: <code>~/.ssh/id_ed25519</code> </li> <li>Public key: <code>~/.ssh/id_ed25519.pub</code> </li> </ul> <p>Keep the private key safe and never share it. The public key is what you’ll add to the server.</p> <h2> 2. Copy your public key to the server </h2> <p>Replace <code>user@remote-server.com</code> with your real username and server address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh-copy-id <span class="nt">-i</span> ~/.ssh/id_ed25519.pub user@remote-server.com </code></pre> </div> <p>If <code>ssh-copy-id</code> isn’t available, you can manually paste the contents of the <code>.pub</code> file into the server’s <code>~/.ssh/authorized_keys</code>.</p> <h2> 3. Add a convenient SSH config entry </h2> <p>Save yourself some typing by creating an entry in <code>~/.ssh/config</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Host my-server HostName remote-server.com User user IdentityFile ~/.ssh/id_ed25519 IdentitiesOnly yes </code></pre> </div> <p>Now you can connect with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh my-server </code></pre> </div> <h2> 4. Open the SSH tunnel </h2> <p>Assume PostgreSQL is running on the server at <code>localhost:5432</code>. We’ll forward that to port <code>5555</code> on your machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-L</span> 5555:localhost:5432 my-server </code></pre> </div> <ul> <li> <strong>5555</strong>: local port on your computer</li> <li> <strong>localhost:5432</strong>: PostgreSQL port on the server</li> <li> <strong>my-server</strong>: alias from your SSH config</li> </ul> <p>Keep this terminal open while the tunnel is active.</p> <p><strong>Run in the background:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-fN</span> <span class="nt">-L</span> 5555:localhost:5432 my-server </code></pre> </div> <ul> <li> <code>-f</code> = fork to background</li> <li> <code>-N</code> = don’t execute a remote command, just tunnel</li> </ul> <h2> 5. Connect with pgAdmin (or any client) </h2> <p>In pgAdmin, DBeaver, or <code>psql</code>, use:</p> <ul> <li> <strong>Host:</strong> <code>localhost</code> </li> <li> <strong>Port:</strong> <code>5555</code> </li> <li> <strong>User:</strong> your database user (e.g. <code>postgres</code>)</li> <li> <strong>Password:</strong> your database password</li> <li> <strong>Database name:</strong> the actual DB name</li> </ul> <p>The client talks to <code>localhost:5555</code>, and the SSH tunnel securely forwards everything to PostgreSQL on the server.</p> <h2> 6. Closing the tunnel </h2> <ul> <li>Foreground tunnel: press <strong>Ctrl+C</strong>.</li> <li>Background tunnel: find and kill it: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ps aux | <span class="nb">grep</span> <span class="s1">'ssh -L'</span> <span class="nb">kill</span> &lt;pid&gt; </code></pre> </div> <h2> To Sum Up </h2> <p>With this setup:</p> <ul> <li>Your database port remains hidden from the outside world.</li> <li>All traffic is encrypted via SSH.</li> <li>You can connect safely using your favorite GUI tool or CLI.</li> </ul> <p>This pattern works for <strong>PostgreSQL</strong>, <strong>MySQL</strong>, <strong>Redis</strong>, or any other service that you’d rather not expose directly.</p> ssh tunneling postgressql security 🔐 Securing Your SvelteKit App Against CSRF Attacks Using Custom Hooks Maxiviper117 Sun, 09 Mar 2025 16:24:46 +0000 https://dev.to/maxiviper117/implementing-csrf-protection-in-sveltekit-3afb https://dev.to/maxiviper117/implementing-csrf-protection-in-sveltekit-3afb <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fywd2t6muxirdl1ui2rng.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fywd2t6muxirdl1ui2rng.jpg" alt="Image description" width="800" height="545"></a></p> <p>Cross-Site Request Forgery (<strong>CSRF</strong>) is a vulnerability that lets attackers trick your users into unintentionally submitting requests. This guide demonstrates how to implement robust CSRF protection in SvelteKit using custom middleware hooks.</p> <h2> 📌 <strong>Step 1: Disable Built-in SvelteKit CSRF Check</strong> </h2> <p>SvelteKit provides default CSRF checks. To enable custom handling, disable the built-in check first.</p> <p>📂 <strong><code>svelte.config.ts</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// svelte.config.ts</span> <span class="k">import</span> <span class="nx">adapter</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/adapter-auto</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="p">{</span> <span class="na">kit</span><span class="p">:</span> <span class="p">{</span> <span class="na">adapter</span><span class="p">:</span> <span class="nf">adapter</span><span class="p">(),</span> <span class="na">csrf</span><span class="p">:</span> <span class="p">{</span> <span class="na">checkOrigin</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// Disable built-in origin checking to allow custom middleware</span> <span class="p">},</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <h2> 🛡️ <strong>Step 2: Create Custom CSRF Middleware</strong> </h2> <p>Create the custom CSRF middleware hook file to provide enhanced security and configurability.</p> <p>📂 <strong><code>src/hooks/csrf.ts</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/hooks/csrf.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">Handle</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/kit</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">json</span><span class="p">,</span> <span class="nx">text</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/kit</span><span class="dl">'</span><span class="p">;</span> <span class="cm">/** * Custom CSRF Protection Middleware * * @param allowedPaths - List of URL paths that bypass CSRF protection. * @param allowedOrigins - Trusted origins allowed to make cross-origin form submissions. */</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">csrf</span><span class="p">(</span><span class="nx">allowedPaths</span><span class="p">:</span> <span class="kr">string</span><span class="p">[],</span> <span class="nx">allowedOrigins</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[]):</span> <span class="nx">Handle</span> <span class="p">{</span> <span class="k">return</span> <span class="k">async </span><span class="p">({</span> <span class="nx">event</span><span class="p">,</span> <span class="nx">resolve</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">request</span><span class="p">,</span> <span class="nx">url</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">event</span><span class="p">;</span> <span class="c1">// Get the 'origin' header from the incoming request</span> <span class="kd">const</span> <span class="nx">requestOrigin</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Determine if the request comes from the same origin</span> <span class="kd">const</span> <span class="nx">isSameOrigin</span> <span class="o">=</span> <span class="nx">requestOrigin</span> <span class="o">===</span> <span class="nx">url</span><span class="p">.</span><span class="nx">origin</span><span class="p">;</span> <span class="c1">// Check if the request origin is explicitly allowed (trusted external origins)</span> <span class="kd">const</span> <span class="nx">isAllowedOrigin</span> <span class="o">=</span> <span class="nx">allowedOrigins</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">requestOrigin</span> <span class="o">??</span> <span class="dl">''</span><span class="p">);</span> <span class="c1">// Define conditions under which the request is forbidden (potential CSRF attack)</span> <span class="kd">const</span> <span class="nx">forbidden</span> <span class="o">=</span> <span class="nf">isFormContentType</span><span class="p">(</span><span class="nx">request</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="c1">// Checks if the request contains form data</span> <span class="p">[</span><span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PUT</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PATCH</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">method</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="c1">// State-changing methods</span> <span class="o">!</span><span class="nx">isSameOrigin</span> <span class="o">&amp;&amp;</span> <span class="c1">// Origin mismatch</span> <span class="o">!</span><span class="nx">isAllowedOrigin</span> <span class="o">&amp;&amp;</span> <span class="c1">// Not explicitly allowed</span> <span class="o">!</span><span class="nx">allowedPaths</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">url</span><span class="p">.</span><span class="nx">pathname</span><span class="p">);</span> <span class="c1">// Path not explicitly allowed</span> <span class="c1">// If forbidden, return a 403 Forbidden response immediately</span> <span class="k">if </span><span class="p">(</span><span class="nx">forbidden</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">message</span> <span class="o">=</span> <span class="s2">`Cross-site </span><span class="p">${</span><span class="nx">request</span><span class="p">.</span><span class="nx">method</span><span class="p">}</span><span class="s2"> form submissions are forbidden`</span><span class="p">;</span> <span class="c1">// Return JSON or plain text based on request headers</span> <span class="k">if </span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">accept</span><span class="dl">'</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">json</span><span class="p">({</span> <span class="nx">message</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">text</span><span class="p">(</span><span class="nx">message</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// If the request passes CSRF checks, continue to the next middleware or endpoint</span> <span class="k">return</span> <span class="nf">resolve</span><span class="p">(</span><span class="nx">event</span><span class="p">);</span> <span class="p">};</span> <span class="cm">/** * Helper function to check if request 'origin' is allowed. */</span> <span class="kd">function</span> <span class="nf">isAllowedOrigin</span><span class="p">(</span><span class="nx">requestOrigin</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="p">,</span> <span class="nx">allowedOrigins</span><span class="p">:</span> <span class="kr">string</span><span class="p">[])</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">allowedOrigins</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">requestOrigin</span> <span class="o">??</span> <span class="dl">''</span><span class="p">);</span> <span class="p">}</span> <span class="cm">/** * Helper function to determine if request content-type indicates a form submission */</span> <span class="kd">function</span> <span class="nf">isFormContentType</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="kd">type</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">)?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">;</span><span class="dl">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nf">trim</span><span class="p">().</span><span class="nf">toLowerCase</span><span class="p">()</span> <span class="o">??</span> <span class="dl">''</span><span class="p">;</span> <span class="k">return</span> <span class="p">[</span><span class="dl">'</span><span class="s1">application/x-www-form-urlencoded</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">multipart/form-data</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">text/plain</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="kd">type</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 🚩 <strong>Step 3: Integrate the Middleware into SvelteKit's Hooks</strong> </h2> <p>Integrate this middleware using SvelteKit's <code>sequence</code> helper, allowing you to chain multiple middleware cleanly.</p> <p>📂 <strong><code>src/hooks.server.ts</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/hooks.server.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sequence</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/kit/hooks</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">csrf</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./hooks/csrf</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Define paths exempt from CSRF checks (e.g., public forms or APIs)</span> <span class="kd">const</span> <span class="nx">allowedPaths</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/api/public-form</span><span class="dl">'</span><span class="p">];</span> <span class="c1">// Define trusted origins allowed to make cross-origin form submissions</span> <span class="kd">const</span> <span class="nx">allowedOrigins</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">https://trusted-site.com</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">http://localhost:5173</span><span class="dl">'</span><span class="p">];</span> <span class="c1">// Export the combined hooks using 'sequence' for better flexibility</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handle</span> <span class="o">=</span> <span class="nf">sequence</span><span class="p">(</span> <span class="nf">csrf</span><span class="p">(</span><span class="nx">allowedPaths</span><span class="p">,</span> <span class="nx">allowedOrigins</span><span class="p">)</span> <span class="c1">// CSRF hook added here</span> <span class="c1">// You can chain additional middleware hooks here if needed</span> <span class="p">);</span> </code></pre> </div> <h2> ✅ <strong>Step 4: Testing Your CSRF Middleware</strong> </h2> <h3> <strong>Allowed Requests (should pass):</strong> </h3> <ul> <li>Form submission from same-origin (e.g., <code>https://your-site.com</code> → <code>https://your-site.com/api</code>).</li> <li>Cross-origin submission from explicitly allowed origin (<code>https://trusted-site.com</code>) to an explicitly allowed path (<code>/api/public-form</code>).</li> </ul> <h3> <strong>Blocked Requests (should fail with <code>403</code>):</strong> </h3> <ul> <li>Cross-origin submission from a non-whitelisted domain.</li> <li>Submission from an allowed origin (<code>https://trusted-site.com</code>) to a non-allowed path.</li> <li>Submissions from unlisted origins/domains.</li> </ul> <h2> ⚙️ <strong>Step 5: Integrate Using SvelteKit <code>sequence</code> Hook</strong> </h2> <p>Use SvelteKit’s built-in <code>sequence</code> function to combine your CSRF middleware with other hooks seamlessly.</p> <p>📂 <strong><code>src/hooks.server.ts</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/hooks.server.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sequence</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/kit/hooks</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">csrf</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./hooks/csrf</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Initialize middleware with explicit allowed paths and origins</span> <span class="kd">const</span> <span class="nx">csrfProtection</span> <span class="o">=</span> <span class="nf">csrf</span><span class="p">(</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/api/public-form</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// paths exempt from CSRF protection</span> <span class="p">[</span><span class="dl">'</span><span class="s1">https://trusted-site.com</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">http://localhost:5173</span><span class="dl">'</span><span class="p">]</span> <span class="c1">// trusted cross-origin sites</span> <span class="p">);</span> <span class="c1">// Export the combined hook using SvelteKit’s 'sequence'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handle</span> <span class="o">=</span> <span class="nf">sequence</span><span class="p">(</span><span class="nf">csrf</span><span class="p">([</span><span class="dl">'</span><span class="s1">/api/public-form</span><span class="dl">'</span><span class="p">],</span> <span class="p">[</span><span class="dl">'</span><span class="s1">https://trusted-site.com</span><span class="dl">'</span><span class="p">]));</span> </code></pre> </div> <h2> ⚠️ <strong>Important Formatting Notes for Allowed Origins</strong> </h2> <p>When defining allowed origins, remember:</p> <p>✅ <strong>Correct Examples:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">[</span><span class="dl">'</span><span class="s1">https://trusted-site.com</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">http://localhost:5173</span><span class="dl">'</span><span class="p">]</span> </code></pre> </div> <p>❌ <strong>Incorrect Examples (these won't work!):</strong></p> <ul> <li>❌ No protocol: <code>'trusted-site.com'</code> </li> <li>❌ Wildcards not supported: <code>'*.example.com'</code> </li> <li>❌ Paths not allowed: <code>https://example.com/path</code> </li> </ul> <h2> 🎉 <strong>Summary &amp; Final Thoughts</strong> </h2> <p>You've successfully implemented <strong>custom CSRF protection</strong> in your SvelteKit application:</p> <ul> <li>✅ <strong>Custom middleware</strong> with explicit allowed origins and paths.</li> <li>✅ Flexible configuration via hooks.</li> <li>✅ Clear error messaging for blocked requests.</li> </ul> <p>This approach provides powerful protection against CSRF attacks without restricting legitimate cross-origin usage.</p> <p>Stay secure, and happy coding! 🚀✨</p> crsf sveltekit svelte xss