The latest articles on DEV Community by Chidera Anichebe (@starlingroot). https://dev.to/starlingroot https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1038605%2F44ca778d-3e39-443a-981f-019aa0444787.jpeg https://dev.to/starlingroot en Chidera Anichebe Sat, 04 Mar 2023 20:44:49 +0000 https://dev.to/starlingroot/helmetjs-and-swaggerui-avoiding-headaches-in-your-nodejs-app-29l3 https://dev.to/starlingroot/helmetjs-and-swaggerui-avoiding-headaches-in-your-nodejs-app-29l3 <p>As a Software Engineer, the importance of embracing Security-driven development cannot be overemphasized. If you realize how important this is, then you must have used one or more security middlewares such as HelmetJS. These tools work great until you introduce another such as Swagger UI to aid with API documentation.</p> <p>I have encountered some of these issues and thought it'd be helpful putting some tips out there so you don't end up commenting out <code>app.use(helmet())</code> at best 🙂</p> <h2> Tips </h2> <ol> <li><p>Always make sure to render the Swagger UI template before setting up the HelmetJS middleware to avoid issues like this:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxq4uglt32ulxr4say4u1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxq4uglt32ulxr4say4u1.png" alt="Bunch of errors" width="800" height="192"></a></p></li> <li> <p>In most online references, this is how you set up a route to serve Swagger UI<br> </p> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">swaggerUi</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">swagger-ui-express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">swaggerDocument</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./swagger.json</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api-docs</span><span class="dl">'</span><span class="p">,</span> <span class="nx">swaggerUi</span><span class="p">.</span><span class="nx">serve</span><span class="p">,</span> <span class="nx">swaggerUi</span><span class="p">.</span><span class="nf">setup</span><span class="p">(</span><span class="nx">swaggerDocument</span><span class="p">));</span> </code></pre> <p>This would cause issues in your application as there's a difference between using <code>app.use</code> and an Express application routing method such as <code>app.get</code>. The former is used for requiring middleware and would match all routes that stem from the input route (tears if the input is <code>/</code>) irrespective of the HTTP verb. You'll find yourself sending POST requests to specific endpoints and getting back the HTML page of Swagger, not a good experience!</p> </li> <li><p>If you are going to be rendering some HTML page for some reason, ensure you use a templating engine such as ejs or pug to avoid getting screamed at like so:</p></li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3kh68xdazieszb1d6z3o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3kh68xdazieszb1d6z3o.png" alt="Content-Security-Policy error" width="800" height="62"></a></p> <p>This happens because HelmetJS sets a couple of security headers by default, one of these headers is the <code>Content-Security-Policy</code> header which has a default value of <code>default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests</code> . This header aims to help mitigate Cross-Site-Scripting (XSS) attacks amongst other things and "safe" inline scripts need to have a SHA256 hash or a nonce to enable execution.</p> <p>To fix this, we will configure a templating engine (ejs in this case), generate a hash using the crypto package, and then set the <code>script-src</code> directive to <code>'self' 'nonce-{hash}'</code> like so:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">...</span> <span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">cspNonce</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">16</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span> <span class="nx">helmet</span><span class="p">.</span><span class="nf">contentSecurityPolicy</span><span class="p">({</span> <span class="na">directives</span><span class="p">:</span> <span class="p">{</span> <span class="na">scriptSrc</span><span class="p">:</span> <span class="p">[(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`'nonce-</span><span class="p">${</span><span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">cspNonce</span><span class="p">}</span><span class="s2">'`</span><span class="p">],</span> <span class="p">},</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <p>After setting the nonce, open up your ejs file and add set the nonce value on the script tag like so:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;script</span> <span class="na">nonce=</span><span class="s">"&lt;%= cspNonce %&gt;"</span><span class="nt">&gt;</span> const formElem = document.querySelector('#formElem'); formElem.onsubmit = async (e) =&gt; { e.preventDefault(); let url = window.location.href; ... </code></pre> </div> <p><strong>NB:</strong> Do ensure the variable names match, also, If you're going to be including external scripts such as Axios via CDN, ensure you add the nonce to the script tag as well</p> <p>Thanks for reading and I hope it does help you out, would update this as I encounter more issues. See ya at the next one! 💖</p> <h2> Further reading </h2> <ol> <li><p><a href="https://www.npmjs.com/package/swagger-ui-express" rel="noopener noreferrer">Swagger UI documentation</a></p></li> <li><p><a href="https://helmetjs.github.io/" rel="noopener noreferrer">HelmetJS documentation</a></p></li> </ol> typescript react productivity career