Open eranshmil opened 5 years ago
Security looks good to me. just a few commets: cors - https://github.com/botim/backend/blob/master/src/app.ts#L77 should we limit the origin to be twitter.com only ? The extension manifest already have cors settings so it's fine.
https://github.com/botim/backend/blob/master/src/app.ts#L82 - I think helmet takes care of this by default so it's redundant. Otherwise Helmet is used which is great
https://github.com/botim/backend/blob/master/src/security/authentication.ts#L23 - usually api keys are sent via headers, not request body. Can use the Authorization
header or X-API
header
XSS - Looks like input is being sanitized SQL injection - queries are parametrized correctly
All looks :100: to me
cors - /src/app.ts@
master
#L77 should we limit the origin to be twitter.com only ? The extension manifest already have cors settings so it's fine.
The origin is chrome-extension://extension_id
and the equivalent of Firefox.
I'll check if that's working, but I'm not quite sure if the current id
of the dev version will be the same in the store.
/src/security/authentication.ts@
master
#L23 - usually api keys are sent via headers, not request body. Can use theAuthorization
header orX-API
header
Agree. Will be changed.
SQL injection - queries are parametrized correctly
Is that enough?
All looks 💯 to me
Thanks for your feedback!
@yuvadm @noam-r
Which best practices should we use in order to make the server more secure?
We should also monitor our repositories using https://snyk.io