aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Strapp <matt@mattstrapp.net>2022-02-14 20:39:37 -0600
committerMatt Strapp <matt@mattstrapp.net>2022-02-14 20:41:59 -0600
commit84bf2fe74a2ec2e932cd5084bd995c7b55300629 (patch)
tree91297df22acd942ee6c35d5ec0a1ed67866b797b
parentRemove redundant rate limiter (diff)
downloadee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.tar
ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.tar.gz
ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.tar.bz2
ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.tar.lz
ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.tar.xz
ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.tar.zst
ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.zip
Reorder middleware for "security"
Signed-off-by: Matt Strapp <matt@mattstrapp.net>
Diffstat (limited to '')
-rw-r--r--src/index.ts14
-rw-r--r--src/routes/api.ts13
2 files changed, 14 insertions, 13 deletions
diff --git a/src/index.ts b/src/index.ts
index 1bf018f..385aecc 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -12,6 +12,13 @@ const app = express();
/* MIDDLEWARE */
+// Hide the software being used (helps security)
+app.use(helmet());
+
+// CSRF protection
+app.use(cookieParser());
+const csrf = csurf({ cookie: true });
+
// Rate limiting
const rateLimiter = rateLimit({
windowMs: 1 * 60 * 1000, // 1 minute
@@ -21,13 +28,6 @@ const rateLimiter = rateLimit({
});
app.use(rateLimiter);
-// CSRF protection
-app.use(cookieParser());
-const csrf = csurf({ cookie: true });
-
-
-// Hide the software being used (helps security)
-app.use(helmet());
// The API
app.use('/api/v1/', api);
diff --git a/src/routes/api.ts b/src/routes/api.ts
index 4d55626..ab0ff26 100644
--- a/src/routes/api.ts
+++ b/src/routes/api.ts
@@ -11,6 +11,12 @@ import { spawn } from 'child_process';
const api = express.Router();
+// Use JSON parser for API requests and responses
+api.use(express.json());
+// CSRF protection
+api.use(cookieParser());
+const csrf = csurf({ cookie: true });
+
// For file uploads
api.use(fileUpload({
preserveExtension: true, // Preserve file extension on upload
@@ -21,12 +27,6 @@ api.use(fileUpload({
debug: false, // Log debug information
}));
-// CSRF protection
-api.use(cookieParser());
-const csrf = csurf({ cookie: true });
-
-// Use JSON parser for API requests and responses
-api.use(express.json());
/*
Upload a file to the server
@@ -101,6 +101,7 @@ api.route('/upload')
*/
api.route('/actuate')
+ // Snyk error mitigation, should be fine since the rate limiting is already in place
// file deepcode ignore NoRateLimitingForExpensiveWebOperation: This is already rate limited by the website, so we don't need to do it again
.post(csrf, async (req: Request, res: Response) => {
// Make sure the file being requested to run exists