Need help with security issues

keystonejs / keystone-classic

Node.js CMS and web app framework

http://v4.keystonejs.com

MIT License

14.64k stars 2.2k forks source link

Need help with security issues #1425

Open ownyo opened 9 years ago

ownyo commented 9 years ago

Hello, i recently ran a security test on my webapllication and it pointed me to some risks. I am mainly missing some http headers:

web browser xss protection not enabled
x-content-type-options header missing
x-frame-options header not set

Can somebody tell me how and where i can add those headers? Playing with the .htaccess didn't work. Thanks in advance :)

morenoh149 commented 9 years ago

http://expressjs.com/4x/api.html#res.append ?

dcousens commented 9 years ago

@ownyo perhaps use https://www.npmjs.com/package/helmet as an extra middleware?

webteckie commented 9 years ago

@dcousens not sure that's what you are implying but wouldn't keystonejs benefit from that helmet package to provide that security right out of the box? It would have to expose it's configuration.

VinayaSathyanarayana commented 8 years ago

What are the plans to use helmet and the security best practices recommended for express applications at http://expressjs.com/en/advanced/best-practice-security.html

Also please run http://cyh.herokuapp.com/cyh When I run the above on www.sydjs.com and demo.keystonejs.com, it shows a number of items to act upon.

Your views please: @JedWatson @webteckie @jstockwin

jstockwin commented 8 years ago

This isn't an area I really know anything about, so will leave it to the other guys to comment.

r3wt commented 8 years ago

@jstockwin i know quite a bit about it. Personally i just place the node(s) behind nginx to solve this(as well as serving the static files for the node app as its much faster than node and frees node to do the important stuff), but i think it could make sense to optionally include helmet in keystone, and have it configurable via set or init. the question is on or off by default? i'm a fan of on by default as its probably the safest bet for less experienced developers. I have a feeling Jed will want to weigh in on this abit more. anyone who wants to read up about helmet can do so here: https://www.npmjs.com/package/helmet

creynders commented 8 years ago

I agree with @r3wt: on by default. People who'll have the need to turn it off will know how anyway.

Sidetrack: someone cough npm cough needs to come up with a good solution for really optional dependencies... I really REALLY really wish an alternative would pop up, npm sucks big balls.

VinayaSathyanarayana commented 8 years ago

I ran OWASP ZAP on demo.keystonejs.com and got the following results. Please download the file rename it to html to see the results

ksdemo1html.txt

VinayaSathyanarayana commented 8 years ago

We should include nsp check as part of the build process.

VinayaSathyanarayana commented 8 years ago

Any update on including helmet?