Introduction
This post is about securing your express js application from network attacks.
Once you are done with developing your application which uses node js server, the next task comes up is of deploying it to production or making it ready for production.
First and the most vital point that comes to our mind is how secure is our application? Are the API requests made through my application secure? Does the secret key or token or sensitive data has enough security?
Express JS documentation covers all these questions here
It lists down the options we should opt for and other suggestions.
In my case, I made use of Helmet , an npm package which provides enough security to our routes.
You can also customize the Content-Security-Policy header as per your needs.
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", 'maxcdn.bootstrapcdn.com'],
scriptSrc: ["'none'"],
imgSrc: ["'none'"],
fontSrc: ["'none'"],
}
}))
As mentioned in the options, you can specify the valid sources for your images, fonts, scripts, styles, etc. This surely adds a level of security.
Refer this for contentSecurityPolicy.
I am sure it will help you in some way.
Cheers !!!
Top comments (0)