DEV Community: Siddharth Udeniya

How to become a Backend Developer in 2021?

Siddharth Udeniya — Fri, 14 May 2021 08:55:31 +0000

Hi Reader! Thanks for the great reaction to my previous post

I have started publishing my learnings recently and wish to start a personal blog soon but till then you can always follow me here on dev.to and on Twitter to keep yourself updated with them (my learnings).

Now coming to the post, I stumbled upon this link and thought I will share it with you guys. Do check it.

I plan to cover most of the parts mentioned in that link step by step in different series. Already started with Node and will start databases soon. I have also started a series for folks who know Node.js and want to learn Golang.

Let me know in the comments what else do you want me to prioritize!!

Till then, stay safe & take care.

Why do you need Helmet in NodeJs ?

Siddharth Udeniya — Mon, 10 May 2021 05:27:49 +0000

Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!

These are the lines written on top of the npm's helmet page.

Most of you might have come across this code app.use(helmet()) in your codebase/boilerplates. Let's dive deep into helmet today.

In simple words, Helmet adds/secures HTTP headers returned by your express app.

Most of the newbie devs tend to ignore this (secured HTTP headers).

helmet() is a wrapper around 15 middlewares, 11 of them are used by default with preset settings.

Let's see those 11 headers in detail:

Content-Security-Policy

Used for mitigating XSS Attacks. Helps control what domain/subdomain, which protocol, what kind of media should talk to the server.
helmet.contentSecurityPolicy();
X-DNS-Prefetch-Control

As the name of this header suggests, the browser tries to resolve DNS while (in parallel) loading the page content. DNS resolution for what? - For the links, images, etc referenced on the page which is being loaded. Prefetching occurs in the background. Helps reduce latency. By default, helmet sets this as off.
helmet.dnsPrefetchControl(options)
Expect-CT

CT in this header stands for Certificate Transparency. Catch that misissued certificate on that site.
helmet.expectCt()
X-Frame-Options

A well-known header to prevent clickjacking up to a certain extent. Gets overridden by frame-ancestors directive of Content Security Policy header.
helmet.frameguard();
X-Powered-By

This headers makes very less difference even if turned off. Set to express by default in Express framework.
helmet.hidePoweredBy()
Strict-Transport-Security

or HSTS in short, tells browsers that the website should only be accessible via HTTP(S) protocol. No HTTP please! Takes one mandatory param max-age (which is 180 days in helmet) and 2 optional params includeSubDomains (defaults to true) & preload (defaults to false) in options.
helmet.hsts(options)
X-Download-Options

Specific to Internet Explorer, this header forces potentially unsafe files and instead downloads them directly, thus preventing script injections since the file is no longer opened in the security context of the site.
helmet.ieNoOpen()
X-Content-Type-Options

helmet.noSniff sets the X-Content-Type-Options header to nosniff. Browsers in some cases try to guess the MIME types by looking at bytes of resources shared by the server. Hey Browser! Don't do that. That's MIME sniffing. Let me give you a nosniff in the Content Type Options.
helmet.noSniff()
X-Permitted-Cross-Domain-Policies

Ah! That's a little tricky. Check this article for a detailed description.
helmet.permittedCrossDomainPolicies(options)
Referrer-Policy

Server dictates what all referrer information it needs in the Referer (Oh yeah! That's a misspell) header via Referrer-Policy header. It defaults to no-referrer in case of using helmet.
helmet.referrerPolicy(options)
X-XSS-Protection

Oh, Stop! I detected an xss attack.
If it's 0 - Disables XSS filtering.
If it's 1 - Enables XSS filtering. sanitize and then load if XSS is detected.
If it's 1; mode=block - Enables XSS filtering. Do not sanitize, just stop the rendering altogether.
helmet.xssFilter()

So that was all about the 11 default headers Helmet sets. A snippet from Helmet's NPM Page:

From Node to Go | Part 1

Siddharth Udeniya — Sun, 09 May 2021 14:20:48 +0000

Hi Reader! Welcome to the From Node to Go series.

This series is basically for all the Node.js developers who want to switch to or learn Golang. But since I am starting this from very very basics of Nodejs as well, this can be used to learn web dev in Node.js as well.

PRE-REQUISITE for this series: You should know how to run node and go programs and you know the basics of Go. If not, I would recommend doing a quick walk through here (Excellent stuff)

2 - in - 1 !! Oh Yeah!

END-GOAL of this series: Writing microservices in Go! with all the jargon like Auth, Async Communication, etc included.

In this part, we will be focusing on creating a simple HTTP server in Node (NO EXPRESS, just plain simple Node.js) and Golang.

So let's dive in.

Creating HTTP server in Nodejs is simple. You import the HTTP module and call createServer function. .listen tells you on which port you want your HTTP server to listen to.

var http = require('http');

http.createServer(function (req, res) {
  res.write('Hello World!'); 
  res.end(); 
}).listen(8080);

Now go to your browser and open http://localhost:8080/, you should be able to see the Hello World message there.

Now let's do the same thing in Golang.

package main

import (
    "fmt"
    "net/http"
)

func main() {
    http.HandleFunc("/", HelloWorld)
    http.ListenAndServe(":8081", nil)
}

//HelloWorld Handler
func HelloWorld(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "Hello, World!")
}

Run this go program and now go to your browser and open http://localhost:8081/, you should be able to see the Hello World message there.

We imported 2 packages:
fmt: Format I/O (For further reading: fmt package)
net/http: Importing HTTP package which is a sub-package inside net package (does all the networking stuff) (For further reading HTTP package)

Define a handler function for the particular route - We defined HelloWorld handler here.

In ListenAndServe function we passed the address and nil, we will discuss this nil in the next part of this series.

The HTTP Handler takes 2 arguments here

An object of type ResponseWriter which is an interface in Go (For further reading: ResponseWriter
A pointer to Request which is a struct in Golang (For further reading: Request)

You should probably be having this question in mind right now!

So that's it. That's how you create a plain simple HTTP server in Node and Golang. Stay tuned for the next parts.

DEV Community: Siddharth Udeniya

How to become a Backend Developer in 2021?

Why do you need Helmet in NodeJs ?

`Content-Security-Policy`

`X-DNS-Prefetch-Control`

`Expect-CT`

`X-Frame-Options`

`X-Powered-By`

`Strict-Transport-Security`

`X-Download-Options`

`X-Content-Type-Options`

`X-Permitted-Cross-Domain-Policies`

`Referrer-Policy`

`X-XSS-Protection`

From Node to Go | Part 1